Single Log View
All log file contents are merged into a single view based on message timestamps. You no longer need to manually correlate timestamps across multiple windows or figure out the order in which to view rotated log files. The color bars on the left-hand side help to show which file a message belongs to.
Automatic Log Format Detection
The log message format is automatically determined by lnav while scanning your files. The following formats are built in by default:
- Common Web Access Log format
- CUPS page_log
- VMware ESXi/vCenter Logs
- "Generic" - Any message that starts with a timestamp
GZIP'ed and BZIP2'ed files are also detected automatically and decompressed on-the-fly.
Display only lines that match or do not match a set of regular expressions. Useful for removing extraneous log lines that you are not interested in.
The timeline view shows a histogram of messages over time. The number of warnings and errors are highlighted in the display so that you can easily see where problems have occurred. Once you have found a period of time that is of interest, a key-press will take you back to the log message view at the corresponding time.
The pretty-print view will reformat structured data, like XML or JSON, so that it is easier to read. Simply press SHIFT+P in the log view to have all the currently displayed lines pretty-printed.
Query Logs Using SQL
Log files are directly used as the backing for SQLite virtual tables. This means you can perform queries on messages without having to load the data into an SQL database. For example, the screenshot above shows the result of running the following query against an Apache access_log file:
SELECT c_ip, count(*), sum(sc_bytes) AS total FROM access_log GROUP BY c_ip ORDER BY total DESC;
Automatic Data Extraction (BETA)
The built-in log message parser can automatically discover and extract interesting data from plainly formatted log messages. For example, the screenshot above shows the key/value pairs extracted from a sudo log message. These pairs can then be accessed using SQL.
Searches are done as you type; new log lines are automatically loaded and searched as they are added; filters apply to lines as they are loaded; and, SQL queries are checked for correctness as you type.
Errors and warnings are colored in red and yellow, respectively. Highlights are also applied to: SQL keywords, XML tags, file and line numbers in Java backtraces, and quoted strings. The search and SQL query prompt are also highlighted as you type, making it easier to see errors and matching brackets.
The command prompt supports tab-completion for almost all operations. For example, when doing a search, you can tab-complete words that are displayed on screen rather than having to do a copy & paste.
Session information is saved automatically and restored when you are viewing the same set of files. The current location in files, bookmarks, and applied filters are all saved as part of the session.
The log processing features of lnav can be used in scripts if you have a canned set of operations or queries that you want to perform regularly. You can enable headless mode with the '-n' switch on the command-line and then use the '-c' flag to specify the commands or queries you want to execute. For example, to get the top 10 client IP addresses from an apache access log file and write the results to standard out in CSV format:
$ lnav -n \ -c ';SELECT c_ip, count(*) AS total FROM access_log GROUP BY c_ip ORDER BY total DESC LIMIT 10' \ -c ':write-csv-to -' \ access.log c_ip,total 10.208.110.176,2989570 10.178.4.102,11183 10.32.110.197,2020 10.29.165.250,443
Support for Mac OS X and Linux.