Sysadmin Patterns
VisiData transforms the output of standard Linux commands — ps, df, ss, netstat, du — into interactive, filterable sheets. This lesson covers the most useful sysadmin workflows.
Learning Focus
The core pattern for all sysadmin use: command | vd -f fixed [--skip N] → type numeric columns → sort or frequency table → filter → inspect.
Process Inspection with ps
ps aux | vd -f fixed --skip 1
Inside VisiData — process list as a sheet:
USER PID %CPU %MEM VSZ RSS COMMAND
root 1 0.0 0.1 168000 9200 /sbin/init
nginx 1234 0.2 0.5 145000 45000 nginx: worker
mysql 2001 1.8 3.2 890000 256000 mysqld
php 3005 45.6 12.4 720000 980000 php-fpm: worker ← high CPU
# Cast %CPU and %MEM to float
# Move to '%CPU' column → press %
# Move to '%MEM' column → press %
# Move to 'RSS' column → press #
# Sort by CPU descending → find CPU hogs
]
# Filter to processes consuming > 5% CPU
z|
# Enter: __floatval(%CPU) > 5
# Frequency table by USER — who runs the most processes?
# Move to 'USER' column → Shift+F
Disk Usage Analysis
df -h | vd -f fixed --skip 1
Result — disk space by filesystem:
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 50G 23G 27G 46% /
/dev/sdb1 200G 187G 13G 93% /var/www ← almost full!
tmpfs 4G 0G 4G 0% /tmp
# Sort by Use% descending to see fullest partitions first
]
# Filter to partitions > 80% full
z|
# Enter: int(__stripped(Use%, '%')) > 80
Network Port Analysis
ss -tulnp | vd -f fixed
Result — listening sockets:
Netid State Local Address:Port Process
tcp LISTEN 0.0.0.0:22 sshd
tcp LISTEN 0.0.0.0:80 nginx
tcp LISTEN 127.0.0.1:3306 mysqld
tcp LISTEN 0.0.0.0:6379 redis-server
# Frequency table on State
# Move to 'State' → Shift+F
# Filter to LISTEN only
|
# Enter: LISTEN
SQLite Database Inspection
vd /var/www/html/wp-content/db.sqlite3
VisiData shows a table directory:
table_name
wp_posts
wp_users
wp_comments
wp_options
# Press Enter on 'wp_posts' → open as sheet
# Press Shift+I → describe all columns
# Press Shift+F on 'post_status' → count by status
# Filter to published posts only:
|
# Enter: publish
# Count posts by post_type
Shift+F
# on 'post_type' column
Auth Log Failed Login Detection
vd /var/log/auth.log
# Search for failed SSH attempts
g/
# Enter: Failed password
# Parse to extract attacking IP and username
;
# Enter: Failed password for (?:invalid user )?(?P<user>\S+) from (?P<ip>\S+)
# Move to 'ip' column → frequency table
Shift+F
# Sort by count descending
]
Result — top attacking IPs:
ip count percent
203.0.113.50 147 52.3% ← likely bot/brute force
198.51.100.8 89 31.7%
192.0.2.15 44 15.7%
Cron Job Log Analysis
vd /var/log/cron
# Search for failures across all columns
g/
# Enter: FAILED|error|Error
# Select all failure rows
g|
# Enter: FAILED|error|Error
# Open filtered sheet
"
# Frequency table by job name
Shift+F
Directory Browser
vd ~/github/practice-folder/visidata/
# Opens Directory Sheet — file browser
# Columns: name, size, modified, extension
# Press Enter to descend into a directory
# Press q to go back up
Complete Sysadmin Workflow Reference
| Task | Command |
|---|---|
| Browse processes | ps aux | vd -f fixed --skip 1 |
| Disk space | df -h | vd -f fixed --skip 1 |
| Network ports | ss -tulnp | vd -f fixed |
| Auth failures | vd /var/log/auth.log |
| Nginx access log | vd /var/log/nginx/access.log |
| SQLite tables | vd ~/github/practice-folder/visidata/08-sysadmin/site.sqlite |
| Directory browser | vd /path/to/dir/ |
| Cron logs | vd /var/log/cron |
| Systemd journal | journalctl -n 1000 --no-pager | vd -f txt |
| vmstat monitoring | vmstat 1 60 | vd -f fixed --skip 2 |
Troubleshooting
| Problem | Cause | Fix |
|---|---|---|
ps aux pipe has wrong columns | Column widths vary | Use --skip 1 and manual type casting |
| SQLite permission denied | File owned by www-data | sudo vd or copy with sudo cp |
| Log file too large | Millions of lines | Add --max-rows 100000 |
| Fixed-width columns misaligned | Column widths not detected | Adjust with --fixed-rows 2000 |
Hands-On Practice
# 1. Browse running processes
ps aux | vd -f fixed --skip 1
# Cast %CPU to float, sort descending with ]
# 2. Browse disk usage
df -h | vd -f fixed --skip 1
# 3. Browse listening ports
ss -tulnp | vd -f fixed
# 4. Browse auth log (if accessible)
vd /var/log/auth.log
# Search for Failed: g/ → Failed password