summaryrefslogtreecommitdiffstats
path: root/docs/03_features.md
blob: 513cd2ce9e8ea0fcc62056047a10ab33c0d0d34a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
---
layout: page
title:  Features
permalink: /features
---

* TOC
{:toc}

## Single Log View

All log file contents are merged into a single view based on message timestamps.
You no longer need to manually correlate timestamps across multiple windows or
figure out the order in which to view rotated log files. The color bars on the
left-hand side help to show which file a message belongs to.

![Screenshot of lnav showing messages from multiple files](/assets/images/lnav-multi-file2.png)

## Automatic Log Format Detection

The log message format is automatically determined by lnav while scanning your
files.  The following are some of the [formats that are built in by default](https://docs.lnav.org/en/latest/formats.html):

* Common Web Access Log format
* W3C Extended Log File Format
* logfmt
* CUPS page_log
* Syslog
* Glog
* VMware ESXi/vCenter Logs
* dpkg.log
* uwsgi
* "Generic" - Any message that starts with a timestamp
* Strace
* sudo

If your log file format is JSON-lines or can be matched by a PCRE regular
expression, you can define your own format in a
[JSON file](https://docs.lnav.org/en/latest/formats.html#defining-a-new-format).

GZIP'ed and BZIP2'ed files are also detected automatically and decompressed on-the-fly.

## Filters

Display only lines that match or do not match a set of regular expressions.
Useful for removing extraneous log lines that you are not interested in.

## Timeline View

The timeline view shows a histogram of messages over time. The number of
warnings and errors are highlighted in the display so that you can easily see
where problems have occurred. Once you have found a period of time that is of
interest, a key-press will take you back to the log message view at the
corresponding time.

![Screenshot of timeline view](/assets/images/lnav-hist.png)

## Pretty-Print View

The pretty-print view will reformat structured data, like XML or JSON, so that
it is easier to read.  Simply press SHIFT+P in the log view to have all the
currently displayed lines pretty-printed.

The following screenshot shows an XML blob with no indentation:

![A flat blob of XML](/assets/images/lnav-before-pretty.png)

After pressing SHIFT+P, the XML is pretty-printed for easier viewing:

![A pretty-printed blob of XML](/assets/images/lnav-after-pretty.png)

## Query Logs Using SQL

Log files are directly used as the backing for SQLite virtual tables.  This
means you can perform queries on messages without having to load the data into
an SQL database.  For example, the screenshot below shows the result of
running the following query against an Apache access_log file:

```sql
SELECT c_ip, count(*), sum(sc_bytes) AS total FROM access_log
    GROUP BY c_ip ORDER BY total DESC;
```

![The results of a SQL query](/assets/images/lnav-query.png)

## "Live" Operation

Searches are done as you type; new log lines are automatically loaded and
searched as they are added; filters apply to lines as they are loaded; and, SQL
queries are checked for correctness as you type.

## Themes

The UI can be [customized through themes](https://lnav.readthedocs.io/en/latest/config.html#theme-definitions).

![Animation of the UI cycling through themes](/assets/images/lnav-theme-cycle.gif)

## Syntax Highlighting

Errors and warnings are colored in red and yellow, respectively. Highlights are
also applied to: SQL keywords, XML tags, file and line numbers in Java
backtraces, and quoted strings. The search and SQL query prompt are also
highlighted as you type, making it easier to see errors and matching brackets.

![Animation of syntax highlighting](/assets/images/lnav-syntax-highlight.gif)

## Tab-completion

The command prompt supports tab-completion for almost all operations. For
example, when doing a search, you can tab-complete words that are displayed on
screen rather than having to do a copy & paste.

![Animation of TAB-completion](/assets/images/lnav-tab-complete.gif)

## Custom Keymaps

[Hotkeys can be customized](https://lnav.readthedocs.io/en/latest/config.html#keymap-definitions)
to run lnav commands or scripts.

## Sessions

Session information is saved automatically and restored when you are viewing the
same set of files. The current location in files, bookmarks, and applied filters
are all saved as part of the session.

## Headless Mode

The log processing features of lnav can be used in scripts if you have a canned
set of operations or queries that you want to perform regularly. You can enable
headless mode with the '-n' switch on the command-line and then use the '-c'
flag to specify the commands or queries you want to execute. For example, to get
the top 10 client IP addresses from an apache access log file and write the
results to standard out in CSV format:

```console
$ lnav -n \
    -c ';SELECT c_ip, count(*) AS total FROM access_log GROUP BY c_ip ORDER BY total DESC LIMIT 10' \
    -c ':write-csv-to -' \
    access.log

c_ip,total
10.208.110.176,2989570
10.178.4.102,11183
10.32.110.197,2020
10.29.165.250,443
```