{ "schemaVersion": "1.0", "item": { "slug": "log-analyzer", "name": "Log Analyzer", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/gitgoodordietrying/log-analyzer", "canonicalUrl": "https://clawhub.ai/gitgoodordietrying/log-analyzer", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/log-analyzer", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=log-analyzer", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/log-analyzer" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/log-analyzer", "agentPageUrl": "https://openagent3.xyz/skills/log-analyzer/agent", "manifestUrl": "https://openagent3.xyz/skills/log-analyzer/agent.json", "briefUrl": "https://openagent3.xyz/skills/log-analyzer/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Log Analyzer", "body": "Parse, search, and debug from application logs. Covers plain text logs, structured JSON logs, stack traces, multi-service correlation, and real-time monitoring." }, { "title": "When to Use", "body": "Debugging application errors from log files\nSearching logs for specific patterns, errors, or request IDs\nParsing and analyzing stack traces\nSetting up structured logging (JSON) in applications\nCorrelating events across multiple services or log files\nMonitoring logs in real time during development\nGenerating error frequency reports or summaries" }, { "title": "Find errors and exceptions", "body": "# All errors in a log file\ngrep -i 'error\\|exception\\|fatal\\|panic\\|fail' app.log\n\n# Errors with 3 lines of context\ngrep -i -C 3 'error\\|exception' app.log\n\n# Errors in the last hour (ISO timestamps)\nHOUR_AGO=$(date -u -d '1 hour ago' '+%Y-%m-%dT%H:%M' 2>/dev/null || date -u -v-1H '+%Y-%m-%dT%H:%M')\nawk -v t=\"$HOUR_AGO\" '$0 ~ /^[0-9]{4}-[0-9]{2}-[0-9]{2}T/ && $1 >= t' app.log | grep -i 'error'\n\n# Count errors by type\ngrep -oP '(?:Error|Exception): \\K[^\\n]+' app.log | sort | uniq -c | sort -rn | head -20\n\n# HTTP 5xx errors from access logs\nawk '$9 >= 500' access.log" }, { "title": "Search by request or correlation ID", "body": "# Trace a single request across log entries\ngrep 'req-abc123' app.log\n\n# Across multiple files\ngrep -r 'req-abc123' /var/log/myapp/\n\n# Across multiple services (with filename prefix)\ngrep -rH 'correlation-id-xyz' /var/log/service-a/ /var/log/service-b/ /var/log/service-c/" }, { "title": "Time-range filtering", "body": "# Between two timestamps (ISO format)\nawk '$0 >= \"2026-02-03T10:00\" && $0 <= \"2026-02-03T11:00\"' app.log\n\n# Last N lines (tail)\ntail -1000 app.log | grep -i error\n\n# Since a specific time (GNU date)\nawk -v start=\"$(date -d '30 minutes ago' '+%Y-%m-%dT%H:%M')\" '$1 >= start' app.log" }, { "title": "Parse with jq", "body": "# Pretty-print JSON logs\ncat app.log | jq '.'\n\n# Filter by level\ncat app.log | jq 'select(.level == \"error\")'\n\n# Filter by time range\ncat app.log | jq 'select(.timestamp >= \"2026-02-03T10:00:00Z\")'\n\n# Extract specific fields\ncat app.log | jq -r '[.timestamp, .level, .message] | @tsv'\n\n# Count by level\ncat app.log | jq -r '.level' | sort | uniq -c | sort -rn\n\n# Filter by nested field\ncat app.log | jq 'select(.context.userId == \"user-123\")'\n\n# Group errors by message\ncat app.log | jq -r 'select(.level == \"error\") | .message' | sort | uniq -c | sort -rn\n\n# Extract request duration stats\ncat app.log | jq -r 'select(.duration != null) | .duration' | awk '{sum+=$1; count++; if($1>max)max=$1} END {print \"count=\"count, \"avg=\"sum/count, \"max=\"max}'" }, { "title": "Parse mixed-format logs (JSON lines mixed with plain text)", "body": "# Extract only valid JSON lines\nwhile IFS= read -r line; do\n echo \"$line\" | jq '.' 2>/dev/null && continue\ndone < app.log\n\n# Or with grep for lines starting with {\ngrep '^\\s*{' app.log | jq '.'" }, { "title": "Extract and deduplicate stack traces", "body": "# Extract Java/Kotlin stack traces (starts with Exception/Error, followed by \\tat lines)\nawk '/Exception|Error/{trace=$0; while(getline && /^\\t/) trace=trace\"\\n\"$0; print trace\"\\n---\"}' app.log\n\n# Extract Python tracebacks\nawk '/^Traceback/{p=1} p{print} /^[A-Za-z].*Error/{if(p) print \"---\"; p=0}' app.log\n\n# Extract Node.js stack traces (Error + indented \"at\" lines)\nawk '/Error:/{trace=$0; while(getline && /^ at /) trace=trace\"\\n\"$0; print trace\"\\n---\"}' app.log\n\n# Deduplicate: group by root cause (first line of trace)\nawk '/Exception|Error:/{cause=$0} /^\\tat|^ at /{next} cause{print cause; cause=\"\"}' app.log | sort | uniq -c | sort -rn" }, { "title": "Python traceback parser", "body": "#!/usr/bin/env python3\n\"\"\"Parse Python tracebacks from log files and group by root cause.\"\"\"\nimport sys\nimport re\nfrom collections import Counter\n\ndef extract_tracebacks(filepath):\n tracebacks = []\n current = []\n in_trace = False\n\n with open(filepath) as f:\n for line in f:\n if line.startswith('Traceback (most recent call last):'):\n in_trace = True\n current = [line.rstrip()]\n elif in_trace:\n current.append(line.rstrip())\n # Exception line ends the traceback\n if re.match(r'^[A-Za-z]\\w*(Error|Exception|Warning)', line):\n tracebacks.append('\\n'.join(current))\n in_trace = False\n current = []\n return tracebacks\n\nif __name__ == '__main__':\n filepath = sys.argv[1] if len(sys.argv) > 1 else '/dev/stdin'\n traces = extract_tracebacks(filepath)\n\n # Group by exception type and message\n causes = Counter()\n for trace in traces:\n lines = trace.split('\\n')\n cause = lines[-1] if lines else 'Unknown'\n causes[cause] += 1\n\n print(f\"Found {len(traces)} tracebacks, {len(causes)} unique causes:\\n\")\n for cause, count in causes.most_common(20):\n print(f\" {count:4d}x {cause}\")" }, { "title": "Tail and filter", "body": "# Follow log file, highlight errors in red\ntail -f app.log | grep --color=always -i 'error\\|warn\\|$'\n\n# Follow and filter to errors only\ntail -f app.log | grep --line-buffered -i 'error\\|exception'\n\n# Follow JSON logs, pretty-print errors\ntail -f app.log | while IFS= read -r line; do\n level=$(echo \"$line\" | jq -r '.level // empty' 2>/dev/null)\n if [ \"$level\" = \"error\" ] || [ \"$level\" = \"fatal\" ]; then\n echo \"$line\" | jq '.'\n fi\ndone\n\n# Follow multiple files\ntail -f /var/log/service-a/app.log /var/log/service-b/app.log\n\n# Follow with timestamps (useful when log doesn't include them)\ntail -f app.log | while IFS= read -r line; do\n echo \"$(date '+%H:%M:%S') $line\"\ndone" }, { "title": "Watch for specific patterns and alert", "body": "# Beep on error (terminal bell)\ntail -f app.log | grep --line-buffered -i 'error' | while read line; do\n echo -e \"\\a$line\"\ndone\n\n# Count errors per minute\ntail -f app.log | grep --line-buffered -i 'error' | while read line; do\n echo \"$(date '+%Y-%m-%d %H:%M') ERROR\"\ndone | uniq -c" }, { "title": "Common access log (Apache/Nginx)", "body": "# Parse fields: IP, date, method, path, status, size\nawk '{print $1, $9, $7}' access.log\n\n# Top IPs by request count\nawk '{print $1}' access.log | sort | uniq -c | sort -rn | head -20\n\n# Top paths by request count\nawk '{print $7}' access.log | sort | uniq -c | sort -rn | head -20\n\n# Slow requests (response time in last field, microseconds)\nawk '{if ($NF > 1000000) print $0}' access.log\n\n# Requests per minute\nawk '{split($4,a,\":\"); print a[1]\":\"a[2]\":\"a[3]}' access.log | uniq -c\n\n# Status code distribution\nawk '{print $9}' access.log | sort | uniq -c | sort -rn\n\n# 4xx and 5xx with paths\nawk '$9 >= 400 {print $9, $7}' access.log | sort | uniq -c | sort -rn | head -20" }, { "title": "Custom delimited logs", "body": "# Pipe-delimited: timestamp|level|service|message\nawk -F'|' '{print $2, $3, $4}' app.log\n\n# Tab-delimited\nawk -F'\\t' '$2 == \"ERROR\" {print $1, $4}' app.log\n\n# CSV logs\npython3 -c \"\nimport csv, sys\nwith open(sys.argv[1]) as f:\n for row in csv.DictReader(f):\n if row.get('level') == 'error':\n print(f\\\"{row['timestamp']} {row['message']}\\\")\n\" app.csv" }, { "title": "Node.js (pino — fast JSON logger)", "body": "// npm install pino\nconst pino = require('pino');\nconst logger = pino({\n level: process.env.LOG_LEVEL || 'info',\n // Add standard fields to every log line\n base: { service: 'my-api', version: '1.2.0' },\n});\n\n// Usage\nlogger.info({ userId: 'u123', action: 'login' }, 'User logged in');\nlogger.error({ err, requestId: req.id }, 'Request failed');\n\n// Output: {\"level\":30,\"time\":1706900000000,\"service\":\"my-api\",\"userId\":\"u123\",\"action\":\"login\",\"msg\":\"User logged in\"}\n\n// Child logger with bound context\nconst reqLogger = logger.child({ requestId: req.id, userId: req.user?.id });\nreqLogger.info('Processing order');\nreqLogger.error({ err }, 'Order failed');" }, { "title": "Python (structlog)", "body": "# pip install structlog\nimport structlog\n\nstructlog.configure(\n processors=[\n structlog.processors.TimeStamper(fmt=\"iso\"),\n structlog.processors.add_log_level,\n structlog.processors.JSONRenderer(),\n ],\n)\nlogger = structlog.get_logger(service=\"my-api\")\n\n# Usage\nlogger.info(\"user_login\", user_id=\"u123\", ip=\"1.2.3.4\")\nlogger.error(\"request_failed\", request_id=\"req-abc\", error=str(e))\n\n# Output: {\"event\":\"user_login\",\"user_id\":\"u123\",\"ip\":\"1.2.3.4\",\"level\":\"info\",\"timestamp\":\"2026-02-03T12:00:00Z\",\"service\":\"my-api\"}" }, { "title": "Go (zerolog)", "body": "import (\n \"os\"\n \"github.com/rs/zerolog\"\n \"github.com/rs/zerolog/log\"\n)\n\nfunc init() {\n zerolog.TimeFieldFormat = zerolog.TimeFormatUnix\n log.Logger = zerolog.New(os.Stdout).With().\n Timestamp().\n Str(\"service\", \"my-api\").\n Logger()\n}\n\n// Usage\nlog.Info().Str(\"userId\", \"u123\").Msg(\"User logged in\")\nlog.Error().Err(err).Str(\"requestId\", reqID).Msg(\"Request failed\")" }, { "title": "Generate error frequency report", "body": "#!/bin/bash\n# error-report.sh - Summarize errors from a log file\nLOG=\"${1:?Usage: error-report.sh }\"\n\necho \"=== Error Report: $(basename \"$LOG\") ===\"\necho \"Generated: $(date -u '+%Y-%m-%dT%H:%M:%SZ')\"\necho \"\"\n\ntotal=$(wc -l < \"$LOG\")\nerrors=$(grep -ci 'error\\|exception\\|fatal' \"$LOG\")\nwarns=$(grep -ci 'warn' \"$LOG\")\n\necho \"Total lines: $total\"\necho \"Errors: $errors\"\necho \"Warnings: $warns\"\necho \"\"\n\necho \"--- Top 15 Error Messages ---\"\ngrep -i 'error\\|exception' \"$LOG\" | \\\n sed 's/^[0-9TZ:.+\\-]* //' | \\\n sed 's/\\b[0-9a-f]\\{8,\\}\\b/ID/g' | \\\n sed 's/[0-9]\\{1,\\}/N/g' | \\\n sort | uniq -c | sort -rn | head -15\necho \"\"\n\necho \"--- Errors Per Hour ---\"\ngrep -i 'error\\|exception' \"$LOG\" | \\\n grep -oP '\\d{4}-\\d{2}-\\d{2}T\\d{2}' | \\\n sort | uniq -c\necho \"\"\n\necho \"--- First Occurrence of Each Error Type ---\"\ngrep -i 'error\\|exception' \"$LOG\" | \\\n sed 's/^[0-9TZ:.+\\-]* //' | \\\n sort -u | head -10" }, { "title": "JSON log error report with Python", "body": "#!/usr/bin/env python3\n\"\"\"Generate error summary from JSON log files.\"\"\"\nimport json\nimport sys\nfrom collections import Counter, defaultdict\nfrom datetime import datetime\n\ndef analyze_logs(filepath):\n errors = []\n levels = Counter()\n errors_by_hour = defaultdict(int)\n\n with open(filepath) as f:\n for line in f:\n try:\n entry = json.loads(line.strip())\n except (json.JSONDecodeError, ValueError):\n continue\n\n level = entry.get('level', entry.get('severity', '')).lower()\n levels[level] += 1\n\n if level in ('error', 'fatal', 'critical'):\n msg = entry.get('message', entry.get('msg', entry.get('event', 'unknown')))\n ts = entry.get('timestamp', entry.get('time', ''))\n errors.append({'message': msg, 'timestamp': ts, 'entry': entry})\n\n # Group by hour\n try:\n hour = ts[:13] # \"2026-02-03T12\"\n errors_by_hour[hour] += 1\n except (TypeError, IndexError):\n pass\n\n # Group errors by message\n error_counts = Counter(e['message'] for e in errors)\n\n print(f\"=== Log Analysis: {filepath} ===\\n\")\n print(\"Level distribution:\")\n for level, count in levels.most_common():\n print(f\" {level:10s} {count}\")\n\n print(f\"\\nTotal errors: {len(errors)}\")\n print(f\"Unique error messages: {len(error_counts)}\\n\")\n\n print(\"Top 15 errors:\")\n for msg, count in error_counts.most_common(15):\n print(f\" {count:4d}x {msg[:100]}\")\n\n if errors_by_hour:\n print(\"\\nErrors by hour:\")\n for hour in sorted(errors_by_hour):\n bar = '#' * min(errors_by_hour[hour], 50)\n print(f\" {hour} {errors_by_hour[hour]:4d} {bar}\")\n\nif __name__ == '__main__':\n analyze_logs(sys.argv[1])" }, { "title": "Merge and sort logs from multiple services", "body": "# Merge multiple log files, sort by timestamp\nsort -m -t'T' -k1,1 service-a.log service-b.log service-c.log > merged.log\n\n# If files aren't individually sorted, use full sort\nsort -t'T' -k1,1 service-*.log > merged.log\n\n# Merge JSON logs, add source field\nfor f in service-*.log; do\n service=$(basename \"$f\" .log)\n jq --arg svc \"$service\" '. + {source: $svc}' \"$f\"\ndone | jq -s 'sort_by(.timestamp)[]'" }, { "title": "Trace a request across services", "body": "# Find all log entries for a correlation/request ID across all services\nREQUEST_ID=\"req-abc-123\"\ngrep -rH \"$REQUEST_ID\" /var/log/services/ | sort -t: -k2\n\n# With JSON logs\nfor f in /var/log/services/*.log; do\n jq --arg rid \"$REQUEST_ID\" 'select(.requestId == $rid or .correlationId == $rid)' \"$f\" 2>/dev/null\ndone | jq -s 'sort_by(.timestamp)[]'" }, { "title": "Working with rotated/compressed logs", "body": "# Search across rotated logs (including .gz)\nzgrep -i 'error' /var/log/app.log*\n\n# Search today's and yesterday's logs\nzgrep -i 'error' /var/log/app.log /var/log/app.log.1\n\n# Decompress, filter, and recompress\nzcat app.log.3.gz | grep 'ERROR' | gzip > errors-day3.gz" }, { "title": "Sampling large files", "body": "# Random sample of 1000 lines\nshuf -n 1000 huge.log > sample.log\n\n# Every 100th line\nawk 'NR % 100 == 0' huge.log > sample.log\n\n# First and last 500 lines\n{ head -500 huge.log; echo \"--- TRUNCATED ---\"; tail -500 huge.log; } > excerpt.log" }, { "title": "Tips", "body": "Always search for a request ID or correlation ID first — it narrows the haystack faster than timestamps or error messages.\nUse --line-buffered with grep when piping from tail -f so output isn't delayed by buffering.\nNormalize IDs and numbers before grouping errors (sed 's/[0-9a-f]\\{8,\\}/ID/g') to collapse duplicates that differ only by ID.\nFor JSON logs, jq is indispensable. Install it if it's not available: apt install jq / brew install jq.\nStructured logging (JSON) is always worth the setup cost. It makes every analysis task easier: filtering, grouping, correlation, and alerting all become jq one-liners.\nWhen debugging a production issue: get the time window and affected user/request ID first, then filter logs to that scope before reading anything.\nawk is faster than grep | sort | uniq -c pipelines for large files. Use it for counting and aggregation." } ], "body": "Log Analyzer\n\nParse, search, and debug from application logs. Covers plain text logs, structured JSON logs, stack traces, multi-service correlation, and real-time monitoring.\n\nWhen to Use\nDebugging application errors from log files\nSearching logs for specific patterns, errors, or request IDs\nParsing and analyzing stack traces\nSetting up structured logging (JSON) in applications\nCorrelating events across multiple services or log files\nMonitoring logs in real time during development\nGenerating error frequency reports or summaries\nQuick Search Patterns\nFind errors and exceptions\n# All errors in a log file\ngrep -i 'error\\|exception\\|fatal\\|panic\\|fail' app.log\n\n# Errors with 3 lines of context\ngrep -i -C 3 'error\\|exception' app.log\n\n# Errors in the last hour (ISO timestamps)\nHOUR_AGO=$(date -u -d '1 hour ago' '+%Y-%m-%dT%H:%M' 2>/dev/null || date -u -v-1H '+%Y-%m-%dT%H:%M')\nawk -v t=\"$HOUR_AGO\" '$0 ~ /^[0-9]{4}-[0-9]{2}-[0-9]{2}T/ && $1 >= t' app.log | grep -i 'error'\n\n# Count errors by type\ngrep -oP '(?:Error|Exception): \\K[^\\n]+' app.log | sort | uniq -c | sort -rn | head -20\n\n# HTTP 5xx errors from access logs\nawk '$9 >= 500' access.log\n\nSearch by request or correlation ID\n# Trace a single request across log entries\ngrep 'req-abc123' app.log\n\n# Across multiple files\ngrep -r 'req-abc123' /var/log/myapp/\n\n# Across multiple services (with filename prefix)\ngrep -rH 'correlation-id-xyz' /var/log/service-a/ /var/log/service-b/ /var/log/service-c/\n\nTime-range filtering\n# Between two timestamps (ISO format)\nawk '$0 >= \"2026-02-03T10:00\" && $0 <= \"2026-02-03T11:00\"' app.log\n\n# Last N lines (tail)\ntail -1000 app.log | grep -i error\n\n# Since a specific time (GNU date)\nawk -v start=\"$(date -d '30 minutes ago' '+%Y-%m-%dT%H:%M')\" '$1 >= start' app.log\n\nJSON / Structured Logs\nParse with jq\n# Pretty-print JSON logs\ncat app.log | jq '.'\n\n# Filter by level\ncat app.log | jq 'select(.level == \"error\")'\n\n# Filter by time range\ncat app.log | jq 'select(.timestamp >= \"2026-02-03T10:00:00Z\")'\n\n# Extract specific fields\ncat app.log | jq -r '[.timestamp, .level, .message] | @tsv'\n\n# Count by level\ncat app.log | jq -r '.level' | sort | uniq -c | sort -rn\n\n# Filter by nested field\ncat app.log | jq 'select(.context.userId == \"user-123\")'\n\n# Group errors by message\ncat app.log | jq -r 'select(.level == \"error\") | .message' | sort | uniq -c | sort -rn\n\n# Extract request duration stats\ncat app.log | jq -r 'select(.duration != null) | .duration' | awk '{sum+=$1; count++; if($1>max)max=$1} END {print \"count=\"count, \"avg=\"sum/count, \"max=\"max}'\n\nParse mixed-format logs (JSON lines mixed with plain text)\n# Extract only valid JSON lines\nwhile IFS= read -r line; do\n echo \"$line\" | jq '.' 2>/dev/null && continue\ndone < app.log\n\n# Or with grep for lines starting with {\ngrep '^\\s*{' app.log | jq '.'\n\nStack Trace Analysis\nExtract and deduplicate stack traces\n# Extract Java/Kotlin stack traces (starts with Exception/Error, followed by \\tat lines)\nawk '/Exception|Error/{trace=$0; while(getline && /^\\t/) trace=trace\"\\n\"$0; print trace\"\\n---\"}' app.log\n\n# Extract Python tracebacks\nawk '/^Traceback/{p=1} p{print} /^[A-Za-z].*Error/{if(p) print \"---\"; p=0}' app.log\n\n# Extract Node.js stack traces (Error + indented \"at\" lines)\nawk '/Error:/{trace=$0; while(getline && /^ at /) trace=trace\"\\n\"$0; print trace\"\\n---\"}' app.log\n\n# Deduplicate: group by root cause (first line of trace)\nawk '/Exception|Error:/{cause=$0} /^\\tat|^ at /{next} cause{print cause; cause=\"\"}' app.log | sort | uniq -c | sort -rn\n\nPython traceback parser\n#!/usr/bin/env python3\n\"\"\"Parse Python tracebacks from log files and group by root cause.\"\"\"\nimport sys\nimport re\nfrom collections import Counter\n\ndef extract_tracebacks(filepath):\n tracebacks = []\n current = []\n in_trace = False\n\n with open(filepath) as f:\n for line in f:\n if line.startswith('Traceback (most recent call last):'):\n in_trace = True\n current = [line.rstrip()]\n elif in_trace:\n current.append(line.rstrip())\n # Exception line ends the traceback\n if re.match(r'^[A-Za-z]\\w*(Error|Exception|Warning)', line):\n tracebacks.append('\\n'.join(current))\n in_trace = False\n current = []\n return tracebacks\n\nif __name__ == '__main__':\n filepath = sys.argv[1] if len(sys.argv) > 1 else '/dev/stdin'\n traces = extract_tracebacks(filepath)\n\n # Group by exception type and message\n causes = Counter()\n for trace in traces:\n lines = trace.split('\\n')\n cause = lines[-1] if lines else 'Unknown'\n causes[cause] += 1\n\n print(f\"Found {len(traces)} tracebacks, {len(causes)} unique causes:\\n\")\n for cause, count in causes.most_common(20):\n print(f\" {count:4d}x {cause}\")\n\nReal-Time Monitoring\nTail and filter\n# Follow log file, highlight errors in red\ntail -f app.log | grep --color=always -i 'error\\|warn\\|$'\n\n# Follow and filter to errors only\ntail -f app.log | grep --line-buffered -i 'error\\|exception'\n\n# Follow JSON logs, pretty-print errors\ntail -f app.log | while IFS= read -r line; do\n level=$(echo \"$line\" | jq -r '.level // empty' 2>/dev/null)\n if [ \"$level\" = \"error\" ] || [ \"$level\" = \"fatal\" ]; then\n echo \"$line\" | jq '.'\n fi\ndone\n\n# Follow multiple files\ntail -f /var/log/service-a/app.log /var/log/service-b/app.log\n\n# Follow with timestamps (useful when log doesn't include them)\ntail -f app.log | while IFS= read -r line; do\n echo \"$(date '+%H:%M:%S') $line\"\ndone\n\nWatch for specific patterns and alert\n# Beep on error (terminal bell)\ntail -f app.log | grep --line-buffered -i 'error' | while read line; do\n echo -e \"\\a$line\"\ndone\n\n# Count errors per minute\ntail -f app.log | grep --line-buffered -i 'error' | while read line; do\n echo \"$(date '+%Y-%m-%d %H:%M') ERROR\"\ndone | uniq -c\n\nLog Format Parsing\nCommon access log (Apache/Nginx)\n# Parse fields: IP, date, method, path, status, size\nawk '{print $1, $9, $7}' access.log\n\n# Top IPs by request count\nawk '{print $1}' access.log | sort | uniq -c | sort -rn | head -20\n\n# Top paths by request count\nawk '{print $7}' access.log | sort | uniq -c | sort -rn | head -20\n\n# Slow requests (response time in last field, microseconds)\nawk '{if ($NF > 1000000) print $0}' access.log\n\n# Requests per minute\nawk '{split($4,a,\":\"); print a[1]\":\"a[2]\":\"a[3]}' access.log | uniq -c\n\n# Status code distribution\nawk '{print $9}' access.log | sort | uniq -c | sort -rn\n\n# 4xx and 5xx with paths\nawk '$9 >= 400 {print $9, $7}' access.log | sort | uniq -c | sort -rn | head -20\n\nCustom delimited logs\n# Pipe-delimited: timestamp|level|service|message\nawk -F'|' '{print $2, $3, $4}' app.log\n\n# Tab-delimited\nawk -F'\\t' '$2 == \"ERROR\" {print $1, $4}' app.log\n\n# CSV logs\npython3 -c \"\nimport csv, sys\nwith open(sys.argv[1]) as f:\n for row in csv.DictReader(f):\n if row.get('level') == 'error':\n print(f\\\"{row['timestamp']} {row['message']}\\\")\n\" app.csv\n\nSetting Up Structured Logging\nNode.js (pino — fast JSON logger)\n// npm install pino\nconst pino = require('pino');\nconst logger = pino({\n level: process.env.LOG_LEVEL || 'info',\n // Add standard fields to every log line\n base: { service: 'my-api', version: '1.2.0' },\n});\n\n// Usage\nlogger.info({ userId: 'u123', action: 'login' }, 'User logged in');\nlogger.error({ err, requestId: req.id }, 'Request failed');\n\n// Output: {\"level\":30,\"time\":1706900000000,\"service\":\"my-api\",\"userId\":\"u123\",\"action\":\"login\",\"msg\":\"User logged in\"}\n\n// Child logger with bound context\nconst reqLogger = logger.child({ requestId: req.id, userId: req.user?.id });\nreqLogger.info('Processing order');\nreqLogger.error({ err }, 'Order failed');\n\nPython (structlog)\n# pip install structlog\nimport structlog\n\nstructlog.configure(\n processors=[\n structlog.processors.TimeStamper(fmt=\"iso\"),\n structlog.processors.add_log_level,\n structlog.processors.JSONRenderer(),\n ],\n)\nlogger = structlog.get_logger(service=\"my-api\")\n\n# Usage\nlogger.info(\"user_login\", user_id=\"u123\", ip=\"1.2.3.4\")\nlogger.error(\"request_failed\", request_id=\"req-abc\", error=str(e))\n\n# Output: {\"event\":\"user_login\",\"user_id\":\"u123\",\"ip\":\"1.2.3.4\",\"level\":\"info\",\"timestamp\":\"2026-02-03T12:00:00Z\",\"service\":\"my-api\"}\n\nGo (zerolog)\nimport (\n \"os\"\n \"github.com/rs/zerolog\"\n \"github.com/rs/zerolog/log\"\n)\n\nfunc init() {\n zerolog.TimeFieldFormat = zerolog.TimeFormatUnix\n log.Logger = zerolog.New(os.Stdout).With().\n Timestamp().\n Str(\"service\", \"my-api\").\n Logger()\n}\n\n// Usage\nlog.Info().Str(\"userId\", \"u123\").Msg(\"User logged in\")\nlog.Error().Err(err).Str(\"requestId\", reqID).Msg(\"Request failed\")\n\nError Pattern Reports\nGenerate error frequency report\n#!/bin/bash\n# error-report.sh - Summarize errors from a log file\nLOG=\"${1:?Usage: error-report.sh }\"\n\necho \"=== Error Report: $(basename \"$LOG\") ===\"\necho \"Generated: $(date -u '+%Y-%m-%dT%H:%M:%SZ')\"\necho \"\"\n\ntotal=$(wc -l < \"$LOG\")\nerrors=$(grep -ci 'error\\|exception\\|fatal' \"$LOG\")\nwarns=$(grep -ci 'warn' \"$LOG\")\n\necho \"Total lines: $total\"\necho \"Errors: $errors\"\necho \"Warnings: $warns\"\necho \"\"\n\necho \"--- Top 15 Error Messages ---\"\ngrep -i 'error\\|exception' \"$LOG\" | \\\n sed 's/^[0-9TZ:.+\\-]* //' | \\\n sed 's/\\b[0-9a-f]\\{8,\\}\\b/ID/g' | \\\n sed 's/[0-9]\\{1,\\}/N/g' | \\\n sort | uniq -c | sort -rn | head -15\necho \"\"\n\necho \"--- Errors Per Hour ---\"\ngrep -i 'error\\|exception' \"$LOG\" | \\\n grep -oP '\\d{4}-\\d{2}-\\d{2}T\\d{2}' | \\\n sort | uniq -c\necho \"\"\n\necho \"--- First Occurrence of Each Error Type ---\"\ngrep -i 'error\\|exception' \"$LOG\" | \\\n sed 's/^[0-9TZ:.+\\-]* //' | \\\n sort -u | head -10\n\nJSON log error report with Python\n#!/usr/bin/env python3\n\"\"\"Generate error summary from JSON log files.\"\"\"\nimport json\nimport sys\nfrom collections import Counter, defaultdict\nfrom datetime import datetime\n\ndef analyze_logs(filepath):\n errors = []\n levels = Counter()\n errors_by_hour = defaultdict(int)\n\n with open(filepath) as f:\n for line in f:\n try:\n entry = json.loads(line.strip())\n except (json.JSONDecodeError, ValueError):\n continue\n\n level = entry.get('level', entry.get('severity', '')).lower()\n levels[level] += 1\n\n if level in ('error', 'fatal', 'critical'):\n msg = entry.get('message', entry.get('msg', entry.get('event', 'unknown')))\n ts = entry.get('timestamp', entry.get('time', ''))\n errors.append({'message': msg, 'timestamp': ts, 'entry': entry})\n\n # Group by hour\n try:\n hour = ts[:13] # \"2026-02-03T12\"\n errors_by_hour[hour] += 1\n except (TypeError, IndexError):\n pass\n\n # Group errors by message\n error_counts = Counter(e['message'] for e in errors)\n\n print(f\"=== Log Analysis: {filepath} ===\\n\")\n print(\"Level distribution:\")\n for level, count in levels.most_common():\n print(f\" {level:10s} {count}\")\n\n print(f\"\\nTotal errors: {len(errors)}\")\n print(f\"Unique error messages: {len(error_counts)}\\n\")\n\n print(\"Top 15 errors:\")\n for msg, count in error_counts.most_common(15):\n print(f\" {count:4d}x {msg[:100]}\")\n\n if errors_by_hour:\n print(\"\\nErrors by hour:\")\n for hour in sorted(errors_by_hour):\n bar = '#' * min(errors_by_hour[hour], 50)\n print(f\" {hour} {errors_by_hour[hour]:4d} {bar}\")\n\nif __name__ == '__main__':\n analyze_logs(sys.argv[1])\n\nMulti-Service Log Correlation\nMerge and sort logs from multiple services\n# Merge multiple log files, sort by timestamp\nsort -m -t'T' -k1,1 service-a.log service-b.log service-c.log > merged.log\n\n# If files aren't individually sorted, use full sort\nsort -t'T' -k1,1 service-*.log > merged.log\n\n# Merge JSON logs, add source field\nfor f in service-*.log; do\n service=$(basename \"$f\" .log)\n jq --arg svc \"$service\" '. + {source: $svc}' \"$f\"\ndone | jq -s 'sort_by(.timestamp)[]'\n\nTrace a request across services\n# Find all log entries for a correlation/request ID across all services\nREQUEST_ID=\"req-abc-123\"\ngrep -rH \"$REQUEST_ID\" /var/log/services/ | sort -t: -k2\n\n# With JSON logs\nfor f in /var/log/services/*.log; do\n jq --arg rid \"$REQUEST_ID\" 'select(.requestId == $rid or .correlationId == $rid)' \"$f\" 2>/dev/null\ndone | jq -s 'sort_by(.timestamp)[]'\n\nLog Rotation and Large Files\nWorking with rotated/compressed logs\n# Search across rotated logs (including .gz)\nzgrep -i 'error' /var/log/app.log*\n\n# Search today's and yesterday's logs\nzgrep -i 'error' /var/log/app.log /var/log/app.log.1\n\n# Decompress, filter, and recompress\nzcat app.log.3.gz | grep 'ERROR' | gzip > errors-day3.gz\n\nSampling large files\n# Random sample of 1000 lines\nshuf -n 1000 huge.log > sample.log\n\n# Every 100th line\nawk 'NR % 100 == 0' huge.log > sample.log\n\n# First and last 500 lines\n{ head -500 huge.log; echo \"--- TRUNCATED ---\"; tail -500 huge.log; } > excerpt.log\n\nTips\nAlways search for a request ID or correlation ID first — it narrows the haystack faster than timestamps or error messages.\nUse --line-buffered with grep when piping from tail -f so output isn't delayed by buffering.\nNormalize IDs and numbers before grouping errors (sed 's/[0-9a-f]\\{8,\\}/ID/g') to collapse duplicates that differ only by ID.\nFor JSON logs, jq is indispensable. Install it if it's not available: apt install jq / brew install jq.\nStructured logging (JSON) is always worth the setup cost. It makes every analysis task easier: filtering, grouping, correlation, and alerting all become jq one-liners.\nWhen debugging a production issue: get the time window and affected user/request ID first, then filter logs to that scope before reading anything.\nawk is faster than grep | sort | uniq -c pipelines for large files. Use it for counting and aggregation." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/gitgoodordietrying/log-analyzer", "publisherUrl": "https://clawhub.ai/gitgoodordietrying/log-analyzer", "owner": "gitgoodordietrying", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/log-analyzer", "downloadUrl": "https://openagent3.xyz/downloads/log-analyzer", "agentUrl": "https://openagent3.xyz/skills/log-analyzer/agent", "manifestUrl": "https://openagent3.xyz/skills/log-analyzer/agent.json", "briefUrl": "https://openagent3.xyz/skills/log-analyzer/agent.md" } }