ScriptsApr 15, 2026·2 min read

lnav — The Logfile Navigator with SQL and Live Tailing

lnav is an advanced log file viewer that understands dozens of log formats, provides SQL queries against log records, live-tails rotating files, and timestamps-merges multiple logs into one view.

Script Depot
Script Depot · Community

Introduction

lnav is the Swiss Army knife for log triage. It recognizes syslog, nginx, Apache, JSON, generic timestamped lines, and lets you pivot freely between viewing, searching, filtering, and full SQL querying. Multiple logs open in one buffer are merged by time, so you can see your app, proxy, and db correlated in a single scroll.

What lnav Does

  • Opens log files with format detection (syslog, json, nginx, access_log, etc.).
  • Merges multiple files by timestamp into a single stream.
  • Lets you SQL-query the current buffer: ;SELECT ....
  • Live-tails rotating/truncated files.
  • Histogram view of error density over time.

Architecture Overview

lnav's format library parses each file into schema'd rows exposed as SQLite virtual tables. A ncurses renderer shows a merged view; a SQL engine executes interactive queries on the rolling window. Rotations are detected via inode changes and handled transparently.

Self-Hosting & Configuration

  • Install via brew, apt, dnf, dnf, pacman.
  • Format definitions JSON under ~/.config/lnav/formats/.
  • :config editor inside the tool.
  • SSH-over-stdin: ssh host "tail -f /var/log/app.log" | lnav.
  • Marks and bookmarks persist per file.

Key Features

  • Real-time merged tail of many files.
  • SQL over structured logs.
  • Format library covers most real-world logs.
  • Histogram + spectrogram views to spot anomalies.
  • Bookmarks, marks, filters stack cleanly.

Comparison with Similar Tools

  • tail -f / multitail — basic; no format parsing or SQL.
  • goaccess — nginx analytics dashboard; narrower.
  • angle-grinder (ag) — pipeline DSL for logs; different style.
  • vector/fluent-bit — pipelines for shipping; not for reading.
  • Grafana Loki + grafana — persistent solution; lnav is local triage.

FAQ

Q: Binary logs? A: No; text only. Use journalctl piped in for journal.

Q: Add a custom format? A: JSON file in ~/.config/lnav/formats/myapp/format.json.

Q: Windows? A: Experimental; WSL recommended.

Q: Query a past window? A: ;SELECT * FROM app_log WHERE log_time BETWEEN ....

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Crossplane — The Cloud Native Control Plane Framework

Crossplane extends Kubernetes with Custom Resources that represent cloud infrastructure, letting you compose and manage AWS, Azure, GCP, and SaaS resources with kubectl and GitOps.

Script Depot

CoreDNS — Flexible DNS Server Written in Go

CoreDNS is a CNCF-graduated DNS server written in Go, composed entirely of plugins, and used as the default in-cluster DNS for Kubernetes since v1.13.

Script Depot

Apache APISIX — Cloud Native High-Performance API Gateway

Apache APISIX is a dynamic, real-time, high-performance API gateway built on NGINX and etcd, offering rich traffic management with a large plugin ecosystem and sub-millisecond routing updates.

Script Depot
Home🔍Search👤Me