It’s 2 AM. Your container is leaking memory, a logfile just ate half your disk, and you need to find which process is holding that socket open. You don’t have time to fire up a script or remember whether it’s ps aux | grep or pgrep. You need a one-liner—something you can paste into your terminal, get an answer, and move on.
Here are the ones that actually earn their place in your .bash_history.
File Operations
Find all files modified in the last 24 hours (useful for auditing what changed):
find /var/log -type f -mtime -1 -exec ls -lh {} \;Recursively rename file extensions from .log to .bak:
find . -name "*.log" -type f -exec sh -c 'mv "$1" "${1%.log}.bak"' _ {} \;Delete files older than 30 days (e.g., old backups):
find /backups -type f -mtime +30 -deleteList files sorted by size, largest first:
ls -lhS | grep -v '^d' | head -20Find empty directories and delete them:
find . -type d -empty -deleteProcess & System
Find what’s eating your CPU right now:
ps aux --sort=-%cpu | head -6Find the top memory hogs:
ps aux --sort=-%mem | head -6Kill all processes matching a pattern (replace nginx with whatever):
pkill -f nginxWatch a command’s output refresh every 2 seconds (no need for watch if you’ve got tail):
while true; do clear; your-command; sleep 2; doneShow how many connections are in ESTABLISHED state right now:
netstat -an | grep ESTABLISHED | wc -lNetworking
Test if a port is open on a host without netcat:
(echo > /dev/tcp/192.168.1.100/22) 2>/dev/null && echo "Port 22 open" || echo "Port 22 closed"Find your external IP from the CLI:
curl -s https://icanhazip.comShow all active TCP connections with their state:
ss -tan | grep ESTABFind what process is listening on a specific port (e.g., port 8080):
lsof -i :8080Text Processing
Count unique lines in a file (removes duplicates, then counts):
sort file.txt | uniq -cSort and deduplicate a file in place:
sort -u file.txt -o file.txtExtract IP addresses from a logfile:
grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' logfile.log | sort | uniq -cRemove blank lines from a file:
sed '/^$/d' file.txtPrint every Nth line (e.g., every 10th line):
sed -n '0~10p' file.txtCount occurrences of a word in a file (case-insensitive):
grep -io "error" logfile.log | wc -lDisk & Space
Find the top 10 largest directories:
du -sh */ | sort -hr | head -10Check inode usage on your filesystem:
df -iFind which inode is consuming space (slow on huge trees, but works):
find . -type f -printf '%s %p\n' | sort -rn | head -10Get a breakdown of disk usage by directory (one level deep):
du -sh */ | sort -hrThe trick with one-liners isn’t memorizing them—it’s knowing they exist. Save this article in a bookmark, grep your .bash_history, or alias the ones you run weekly. Your 2 AM self will thank you when you’re not digging through man pages at the worst possible time.
Related Reading
- Logrotate & Compression
- SumGuy’s Guide to Linux Log Analysis
- Archive & Compression utilities
- Bulk File Renaming on Linux: rename, vidir, fd
- Compression in 2026: zstd Changed the Game
When One-Liners Bite Back
Speaking of grepping your .bash_history at 2 AM — here are the ways these commands will betray you if you’re not paying attention.
find -delete doesn’t ask permission
find /backups -type f -mtime +30 -deleteThere’s no “are you sure?” No recycle bin. If your find predicate is slightly wrong — maybe you forgot -type f and caught symlinks, or the path resolved somewhere unexpected — it’s just gone. Always dry-run first by dropping -delete and replacing it with -print:
find /backups -type f -mtime +30 -printConfirm the list looks sane. Then add -delete. This takes an extra 10 seconds and has saved my skin more than once.
pkill -f matches more than you think
pkill -f nginx pattern-matches against the full command line, not just the process name. That means if you have a Python script that logs to /var/log/nginx-errors.log, it’s in scope. Check what you’re about to kill first:
pgrep -fa nginx-a prints the full command line next to the PID. Anything you don’t expect in that list should give you pause before you pkill.
sort -u file.txt -o file.txt can race itself
On most systems this is fine because sort buffers output before writing, but not every POSIX implementation guarantees it. If you’re doing this in a script and you’re not sure about the environment, use a temp file:
sort -u file.txt > /tmp/file.sorted && mv /tmp/file.sorted file.txtUgly, yes. Losing the file contents because sort opened it for writing before it finished reading, also ugly.
/dev/tcp isn’t available everywhere
The bash /dev/tcp trick for port testing is a bashism — it doesn’t exist in sh, dash, or restricted shells. If your script shebang is #!/bin/sh, this silently fails. Also doesn’t work inside some containers that have stripped /dev. If you’re in that situation, nc -z -w1 host port is more portable, or just install nmap and move on with your life.
Inode counts can fool you on df -i
If df -i shows 95% inode usage but df -h shows plenty of disk space, you’ve probably got a log directory or temp folder absolutely littered with tiny files. The culprit is almost always something like a PHP session directory or a mail spool. Track it down with:
find / -xdev -printf '%h\n' | sort | uniq -c | sort -rn | head -20That prints the directory containing each file (not the file itself), counts them up, and shows you where the density is highest. The -xdev flag keeps it from crossing filesystem boundaries, so you’re not waiting forever.
None of these will kill you if you know they’re coming. The ones that get you are the ones you run on autopilot at 2 AM when you’re tired and moving fast. Slow down by exactly one step — dry-run, then act — and most of these gotchas stay hypothetical.
