Sysadmin Patterns
VisiData transforms the output of standard Linux commands — ps, df, ss, netstat, du — into interactive, filterable sheets. This lesson covers the most useful sysadmin workflows.
Learning Focus
The core pattern for all sysadmin use: command | vd -f fixed [--skip N] → type numeric columns → sort or frequency table → filter → inspect.
Process Inspection with ps
# Open running processes as an interactive sheet
ps aux | vd -f fixed --skip 1
# Inside VisiData:
# Cast '%CPU' to float: %
# Cast '%MEM' to float: %
# Cast 'RSS' to int: #
# Sort by CPU descending
]
# Top processes by CPU at the top
# Sort by RSS (memory) descending — find memory hogs
] (on RSS column)
# Select processes consuming > 10% CPU
z|
# Enter: CPU > 10
# Frequency table by USER — which users run the most processes
Shift+F (on USER column)
Disk Usage Analysis
# Disk space by filesystem
df -h | vd -f fixed --skip 1
# OR for directory usage
du -sh /var/www/html/* 2>/dev/null | vd -f tsv
# Inside VisiData on du output:
# Cast size column to float if possible
# Sort descending to find biggest directories
Interactive du with directory drill-down
# Browse directory sizes
vd /var/www/html/
# VisiData opens as Directory Sheet
# Navigate with arrow keys
# Press Enter to descend into a directory
# Press q to go back up
# Press Ctrl+G to see full file path in status
Port and Network Analysis
# View listening ports
ss -tulnp | vd -f fixed
# OR with netstat
netstat -tulnp 2>/dev/null | vd -f fixed --skip 2
# Inside VisiData:
# Frequency table on 'State' column → see listening vs established
Shift+F
# Filter to only LISTEN state
|
# Enter: LISTEN
# Frequency table on 'Local Address' → find which ports are in use
Shift+F (on Local Address column)
SQLite Database Inspection
# Open any SQLite database
vd /var/www/html/wp-content/db.sqlite3
# VisiData shows a table directory sheet
# Press Enter on any table to open it as a sheet
# Press q to return to the directory
# Inside a table:
# Use Shift+I to get column statistics
# Use Shift+F to count rows by category
WordPress Database Example
vd /var/www/html/wp.sqlite3
# Navigate to wp_posts table: Enter
# Filter to published posts
| (on post_status column)
# Enter: publish
# Count posts by post_type
Shift+F (on post_type column)
# Find posts modified in last 30 days
# (requires date column typed as @)
# Move to post_modified → @
z|
# Enter: post_modified > '2025-04-01'
Cron Job Log Analysis
vd /var/log/cron
# Search for failed jobs
g/
# Enter: FAILED|error|Error
# Select all failure rows
g|
# Enter: FAILED|error|Error
# Frequency table by script name
Shift+F
Auth Log — Failed Login Detection
vd /var/log/auth.log
# Search for failed SSH attempts
g/
# Enter: Failed password
# Parse with regex to extract IP and user
;
# Enter: Failed password for (?:invalid user )?(?P<user>\S+) from (?P<ip>\S+)
# Frequency table on 'ip' — find brute-force IPs
Shift+F (on ip column)
# Sort by count descending
]
# Top IPs are the attackers
System Metrics Monitoring
# Pipe vmstat output to VisiData
vmstat 1 60 | vd -f fixed --skip 2
# OR collect metrics to file and analyze
sar -u 1 60 > /tmp/cpu_metrics.txt
vd -f fixed /tmp/cpu_metrics.txt
Complete Sysadmin Workflow Reference
| Task | Command |
|---|---|
| Browse processes | ps aux | vd -f fixed --skip 1 |
| Disk space | df -h | vd -f fixed --skip 1 |
| Network ports | ss -tulnp | vd -f fixed |
| Auth failures | vd /var/log/auth.log |
| Nginx errors | vd /var/log/nginx/error.log |
| SQLite tables | vd database.sqlite |
| Directory browser | vd /path/to/dir/ |
| Cron logs | vd /var/log/cron |
| Journal | journalctl -n 1000 --no-pager | vd -f txt |
Troubleshooting Matrix
| Problem | Cause | Fix |
|---|---|---|
ps aux pipe has wrong columns | Column widths vary | Use --skip 1 and manual type casting |
| SQLite permission denied | File owned by www-data | sudo vd or copy with sudo cp |
| Log file too large | Millions of lines | Add --max-rows 100000 |
| Fixed-width columns misaligned | Column widths not detected | Adjust with --fixed-rows 2000 |
Hands-On Practice
# 1. Browse running processes
ps aux | vd -f fixed --skip 1
# Cast %CPU to float, sort descending with ]
# 2. Browse disk usage
df -h | vd -f fixed --skip 1
# 3. Browse listening ports
ss -tulnp | vd -f fixed
# 4. Browse auth log
vd /var/log/auth.log
# Search for Failed: g/ → Failed password