Skip to main content
A fast, practical cheat sheet for daily sysadmin, DevSecOps, log analysis, and automation work. Clean, minimal, and designed for rapid recall.

Mental Model (Quick Recall)

awk 'pattern { action }' file

pattern

When to run the action

action

What to do (default: print $0)

$1, $2 ... $NF

Individual fields

$0

Whole line

Key Variables

  • NR → global line number
  • NF → number of fields

Common One-Liners (Daily Use)

awk '{ print "ll  "$2 }' /etc/fstab
Adds a prefix to field output for better readability.
awk '!/^#/ && NF { print $0 }'
Filters out comments (lines starting with #) and blank lines.
awk '$3 == "ext4"' /etc/fstab
Shows only lines where the third field equals “ext4”.
awk '/error/ { print }' /var/log/app.log
Prints lines containing the word “error”.

Field Separators (FS)

awk -F":" '{ print $1 }' /etc/passwd
Use -F to specify custom field separators. Multiple delimiters can be specified using regex patterns.

Output Formatting (OFS)

awk 'BEGIN { OFS="," } { print $1, $2 }' file
Outputs fields separated by commas instead of spaces.
awk '{ printf "%-20s %s\n", $1, $2 }'
Left-aligns first field in 20-character column.

Arithmetic & Aggregation

1

Sum a column

awk '{ sum+=$2 } END { print sum }'
Adds up all values in the second field.
2

Count lines

awk 'END { print NR }'
Returns total number of lines processed.
The END block executes after all input lines have been processed, making it perfect for aggregations.

Conditionals

awk '{ if ($3 > 10) print $0 }'

Key Built-in Variables

VariableMeaning
$0entire line
$1..$NFfields
NFnumber of fields
NRline number (global)
FNRline number per file
FSfield separator
OFSoutput field separator
RSrecord separator
ORSoutput record separator

Useful Practical Snippets

awk '!seen[$0]++' file
Keeps only the first occurrence of each unique line.
awk '{ print toupper($1) }'
Converts first field to uppercase.
awk '{ gsub("old","new"); print }'
Replaces all occurrences of “old” with “new” in each line.

Real Sysadmin Examples

Always test AWK commands on sample data before running on production logs or system files.

Parse fstab quickly

awk '!/^#/ && NF { print $1, $2, $3 }' /etc/fstab
Skips comments and blank lines, shows device, mountpoint, and filesystem type.

Extract blocked IPs from logs

awk '/DENIED/ { print $NF }' firewall.log
Finds all “DENIED” entries and prints the last field (typically the IP).

Show failed SSH attempts

awk '/Failed password/ { print $(NF-3) }' /var/log/auth.log
Extracts IP addresses from failed SSH login attempts.

Minimal Recall Table

ConceptShortcut
Fields$1..$NF
Whole line$0
Line numberNR
Filter rowscondition { print }
Set delimiter-F","
Format outputprintf
Pre/Post blocksBEGIN / END
Bookmark this table for quick reference during incident response or log analysis.

Build docs developers (and LLMs) love

Get started for freeTalk to us