Skip to main content

Introduction

A collection of AWK commands gathered while inspecting nginx and other access logs in day-to-day work.

Options

-F: specify the field delimiter

-F" "  # space-delimited
-F"\t" # tab-delimited
-F","  # comma-delimited

Common use cases

Replace n with the column index (for example $14).

awk -F" " '{print $n}' access.log

Example: print the 14th column from a space-delimited log.

awk -F" " '{print $14}' access.log
awk -F" " '{if (CONDITION) print OUTPUT}' access.log

Example: print the 14th column only when its numeric value is greater than 0.2.

awk -F" " '{if ($14 > 0.2) print $14}' access.log

Prefix each line with a running count

$0 prints the entire record.

awk -F" " '{count++; print count " " $0}' access.log
awk -F" " '{count++} END {print count}' access.log

Filter records within a specific datetime range

awk -F" " '{
  ts = $COLUMN_WITH_TIMESTAMP
  if (ts >= START_TIMESTAMP && ts <= END_TIMESTAMP) {
    print $0
  }
}' access.log

If the log stores the date and time in separate columns:

awk -F" " '{
  ts = $DATE_COLUMN " " $TIME_COLUMN
  if (ts >= START_TIMESTAMP && ts <= END_TIMESTAMP) {
    print $0
  }
}' access.log

If the time column includes milliseconds and you want HH:MM:SS precision (for example 14:09:23,187):

awk -F" " '{
  split($TIME_COLUMN, arr, ",")  # split timestamp by comma into array arr
  ts = $DATE_COLUMN " " arr[1]
  if (ts >= START_TIMESTAMP && ts <= END_TIMESTAMP) {
    print $0
  }
}' access.log

Example: select lines within a range expressed as YYYY-MM-DD HH:MM:SS.

awk -F" " '{
  split($2, arr, ",")
  ts = $1 " " arr[1]
  if (ts >= "2021-09-03 14:09:00" && ts <= "2021-09-04 00:00:00") {
    print $0
  }
}' sample.log

nginx-specific use cases

Tail the access log and print rows when request_time exceeds a threshold (200 ms in this example)

Note: the column index for request_time depends on your nginx.conf log format. In this example it is column 14. request_time is reported in seconds, so 0.2 represents 200 ms. $4 outputs the date column.

tail -F /var2/log/nginx/access.log \
  | awk -F" " '{if ($14 > 0.2) {count++; print count " " $4 " " $14 "s"}} END {print count}'