March 3rd, 2016 at 1:09 PM

IP Address Counts from Apache Access Logs

Combine Grep, Cut, Sort, and Uniq shell commands to filter, and sort an apache (or Nginx, lighthttpd, etc) log file by visitor IP Address counts.

$ grep 'text' /path/to/access.log | cut -d' ' -f1 | sort | uniq -c | sort -r

This is how it works:

Grep: Search the access log file for a particular string (such as a particular resource path or user agent). Pipe the results to:

Cut: Split each line by a space (the apache log file format delimiter) and return the first field (IP address). Also useful are fields 7 and 9 (resource path and status code, respectively in an apache access log).  Pipe the results to:

Sort: Sorts the results by IP, which groups duplicates together. Pipe the results to:

Uniq: Counts and removes duplicate IPs. The “-c” returns the count. Pipe the results to:

Sort: Sort the results in descending order by the uniq count. The “-n” option forces a numeric sort and the “-r” option reverses the order (descending).

Original tip found here:


Comments are closed.

Copyright © 2009 Roger Soucy. All Rights Reserved.
Version 2.0