Linux 'watch'

Real-Time Monitoring with `watch` (feat. `grep`)

Preview

watch re-runs a command on a timer and redraws the full screen. Use it to build quick, live dashboards—counts, top-N, or snapshots. When you need streaming of only new lines, prefer tail -F | grep; when you need periodic aggregation, use watch.

Essentials

Interval: -n SECS
Diff highlight: -d
Pass through ANSI colors: --color
Quote carefully; for complex commands use sh -c '...'.

Make Colors Work with `grep`

watch --color -n 1 "grep --color=always -nE '(ERROR|WARN)' /var/log/app.log | tail -n 20"

Pair watch --color with grep --color=always.
Trim output with tail to keep the screen readable.

Ready-to-Paste Recipes

# 1) Live error counter (snapshot)
watch -n 2 "grep -cE 'ERROR|CRITICAL' /var/log/myapp.log"

# 2) HTTP status distribution (Nginx/Apache)
watch -d -n 2 "awk '{print \$9}' /var/log/nginx/access.log \
 | grep -E '^[1-5][0-9]{2}$' | sort | uniq -c | sort -nr | head"

# 3) Top offenders (e.g., user/service keys in app logs)
watch -d -n 3 "grep -Eo 'user=[^ ]+' app.log | sort | uniq -c | sort -nr | head"

# 4) Multi-file fatal scan with filenames
watch --color -n 1 "grep --color=always -HnE '(FATAL|OOM|panic)' /var/log/*.log | tail -n 30"

# 5) “Last minute” pulse (systemd journals)
watch -n 5 "journalctl -u myservice --since '-1 min' --no-pager | grep -cE '(ERROR|WARN)'"

Quoting & Shell Gotchas

Use double quotes around the whole command so $() and * expand.
Use single quotes when you want the regex untouched by the shell.

For robust quoting, wrap with sh -c:

watch -n 1 sh -c 'grep --color=always -nE "(ERROR|WARN)" "$0" | tail -n 20' /var/log/app.log

When Not to Use `watch`

You need streaming new lines → use:

tail -F /var/log/app.log | grep --line-buffered -nE '(ERROR|WARN)'

You need alerts or historical storage → use a log shipper/monitoring stack (e.g., journald + Prometheus + Loki) rather than screen snapshots.