I wanted to share a quick one liner that you can run to see the number of requests Apache or Nginx has served per hour on a specific date. This simple one liner can identify if a traffic spike occurred during a timeframe that may have impacted performance.
# Red Hat / CentOS Apache
DATE=$(date +%d/%b/%Y); grep "$DATE" /var/log/httpd/*access?log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -c
# Debian / Ubuntu Apache
DATE=$(date +%d/%b/%Y); grep "$DATE" /var/log/apache2/*access?log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -c
# Nginx
DATE=$(date +%d/%b/%Y); grep "$DATE" /var/log/nginx/*access?log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -c
The following is the expected output on a low traffic server. You will see on the left column is the number of requests, and on the right column you can see the hour. Based on the example we can see that between 12:00pm and 12:59pm there were 1465 requests served.
[root@web2 /]# DATE=$(date +%d/%b/%Y); grep "$DATE" /var/log/nginx/*access?log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -c924 00:00
924 00:00
534 01:00
381 02:00
332 03:00
350 04:00
338 05:00
410 06:00
298 07:00
304 08:00
466 09:00
361 10:00
458 11:00
1465 12:00
967 13:00
461 14:00
620 15:00
536 16:00
403 17:00
387 18:00
481 19:00
985 20:00
469 21:00
1066 22:00
446 23:00
Command Breakdown
First we are specifying todays date in the same format that Apache or Nginx logs by default.
DATE=$(date +%d/%b/%Y); grep "$DATE"
[root@mail /]# echo $DATE
02/Oct/2018
So you could easily search for a specific date by modifying the one liner as follows
grep "01/Oct/2018" /var/log/httpd/*access?log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -c
You might need to change the file location you are searching. The regex I included is very simple and searches the default logging locations on Apache or Nginx, however that could easily be changed to wherever you log on the server. The following example provides the same output for all domains on a Plesk server (version 12 and above)
DATE=$(date +%d/%b/%Y); grep "$DATE" /var/www/vhosts/*/statistics/logs/*access_log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -c
Conclusion
This one liner is useful in identifying an hour with much higher traffic than the rest. This information will allow you to easily identify a traffic spike or an attack that occurred during the day.