Skip to main content

Sysadmin Patterns

VisiData transforms the output of standard Linux commands — ps, df, ss, netstat, du — into interactive, filterable sheets. This lesson covers the most useful sysadmin workflows.

Learning Focus

The core pattern for all sysadmin use: command | vd -f fixed [--skip N] → type numeric columns → sort or frequency table → filter → inspect.


Process Inspection with ps

ps aux | vd -f fixed --skip 1

Inside VisiData — process list as a sheet:

USER PID %CPU %MEM VSZ RSS COMMAND
root 1 0.0 0.1 168000 9200 /sbin/init
nginx 1234 0.2 0.5 145000 45000 nginx: worker
mysql 2001 1.8 3.2 890000 256000 mysqld
php 3005 45.6 12.4 720000 980000 php-fpm: worker ← high CPU
# Cast %CPU and %MEM to float
# Move to '%CPU' column → press %
# Move to '%MEM' column → press %
# Move to 'RSS' column → press #

# Sort by CPU descending → find CPU hogs
]

# Filter to processes consuming > 5% CPU
z|
# Enter: __floatval(%CPU) > 5

# Frequency table by USER — who runs the most processes?
# Move to 'USER' column → Shift+F

Disk Usage Analysis

df -h | vd -f fixed --skip 1

Result — disk space by filesystem:

Filesystem Size Used Avail Use% Mounted on
/dev/sda1 50G 23G 27G 46% /
/dev/sdb1 200G 187G 13G 93% /var/www ← almost full!
tmpfs 4G 0G 4G 0% /tmp
# Sort by Use% descending to see fullest partitions first
]

# Filter to partitions > 80% full
z|
# Enter: int(__stripped(Use%, '%')) > 80

Network Port Analysis

ss -tulnp | vd -f fixed

Result — listening sockets:

Netid State Local Address:Port Process
tcp LISTEN 0.0.0.0:22 sshd
tcp LISTEN 0.0.0.0:80 nginx
tcp LISTEN 127.0.0.1:3306 mysqld
tcp LISTEN 0.0.0.0:6379 redis-server
# Frequency table on State
# Move to 'State' → Shift+F

# Filter to LISTEN only
|
# Enter: LISTEN

SQLite Database Inspection

vd /var/www/html/wp-content/db.sqlite3

VisiData shows a table directory:

table_name
wp_posts
wp_users
wp_comments
wp_options
# Press Enter on 'wp_posts' → open as sheet
# Press Shift+I → describe all columns
# Press Shift+F on 'post_status' → count by status

# Filter to published posts only:
|
# Enter: publish

# Count posts by post_type
Shift+F
# on 'post_type' column

Auth Log Failed Login Detection

vd /var/log/auth.log

# Search for failed SSH attempts
g/
# Enter: Failed password

# Parse to extract attacking IP and username
;
# Enter: Failed password for (?:invalid user )?(?P<user>\S+) from (?P<ip>\S+)

# Move to 'ip' column → frequency table
Shift+F

# Sort by count descending
]

Result — top attacking IPs:

ip count percent
203.0.113.50 147 52.3% ← likely bot/brute force
198.51.100.8 89 31.7%
192.0.2.15 44 15.7%

Cron Job Log Analysis

vd /var/log/cron

# Search for failures across all columns
g/
# Enter: FAILED|error|Error

# Select all failure rows
g|
# Enter: FAILED|error|Error

# Open filtered sheet
"

# Frequency table by job name
Shift+F

Directory Browser

vd ~/github/practice-folder/visidata/

# Opens Directory Sheet — file browser
# Columns: name, size, modified, extension

# Press Enter to descend into a directory
# Press q to go back up

Complete Sysadmin Workflow Reference

TaskCommand
Browse processesps aux | vd -f fixed --skip 1
Disk spacedf -h | vd -f fixed --skip 1
Network portsss -tulnp | vd -f fixed
Auth failuresvd /var/log/auth.log
Nginx access logvd /var/log/nginx/access.log
SQLite tablesvd ~/github/practice-folder/visidata/08-sysadmin/site.sqlite
Directory browservd /path/to/dir/
Cron logsvd /var/log/cron
Systemd journaljournalctl -n 1000 --no-pager | vd -f txt
vmstat monitoringvmstat 1 60 | vd -f fixed --skip 2

Troubleshooting

ProblemCauseFix
ps aux pipe has wrong columnsColumn widths varyUse --skip 1 and manual type casting
SQLite permission deniedFile owned by www-datasudo vd or copy with sudo cp
Log file too largeMillions of linesAdd --max-rows 100000
Fixed-width columns misalignedColumn widths not detectedAdjust with --fixed-rows 2000

Hands-On Practice

# 1. Browse running processes
ps aux | vd -f fixed --skip 1
# Cast %CPU to float, sort descending with ]

# 2. Browse disk usage
df -h | vd -f fixed --skip 1

# 3. Browse listening ports
ss -tulnp | vd -f fixed

# 4. Browse auth log (if accessible)
vd /var/log/auth.log
# Search for Failed: g/ → Failed password

What's Next