lnav — The Logfile Navigator with SQL and Live Tailing
lnav is an advanced log file viewer that understands dozens of log formats, provides SQL queries against log records, live-tails rotating files, and timestamps-merges multiple logs into one view.
Review-first install path
This asset needs a review step. The copied prompt tells the agent to dry-run, show the writes, then proceed only after confirmation.
npx -y tokrepo@latest install 4493f997-38c4-11f1-9bc6-00163e2b0d79 --target codexDry-run first, confirm the writes, then run this command.
What it is
lnav is an advanced log file viewer for the terminal that understands dozens of log formats out of the box. It merges multiple log files by timestamp, provides SQL queries against log records, live-tails rotating files, and highlights errors and warnings automatically. Unlike tail -f or grep, lnav gives you a structured, queryable view of your logs.
The tool targets system administrators, SREs, and developers who debug production issues by reading log files. It works with syslog, Apache, NGINX, Docker, journald, and many other formats without configuration.
How it saves time or tokens
lnav replaces the cycle of grep, awk, and tail commands with a single interactive viewer. SQL queries let you aggregate, filter, and correlate log events without piping between tools. Timestamp-based merging across multiple files means you see events in chronological order regardless of which service produced them. For incident response, this reduces log investigation time from minutes of command chaining to seconds of SQL queries.
How to use
- Install lnav:
brew install lnav
- Open one or more log files:
lnav /var/log/nginx/access.log /var/log/app/*.log
- Inside lnav, use keyboard shortcuts and SQL:
-- Jump to a specific time
:go 15:30
-- Query log records
;SELECT c_ip, COUNT(*) FROM nginx_log GROUP BY c_ip ORDER BY COUNT(*) DESC LIMIT 10
Example
Investigate a spike in 500 errors across multiple services:
# Open all relevant logs
lnav /var/log/nginx/error.log /var/log/app/api.log /var/log/app/worker.log
# Inside lnav - find error patterns
;SELECT log_time, log_level, log_body
FROM all_logs
WHERE log_level = 'error'
AND log_time > '2026-04-15 14:00'
ORDER BY log_time
# Filter to specific IP
:filter-in 192.168.1.100
lnav merges all three log files by timestamp, so you see the exact sequence of events across services.
Related on TokRepo
- AI Tools for Monitoring — Monitoring and observability tools for production systems
- AI Tools for DevOps — DevOps tools for debugging and incident response
Common pitfalls
- lnav auto-detects log formats, but custom formats need a JSON format definition file. Without it, custom logs display as plain text without structure.
- SQL queries run against in-memory log data. Very large log files (10GB+) may cause high memory usage. Filter or limit the time range before loading.
- The
:gotime command uses the log file's timezone. Ensure your log timestamps include timezone information to avoid confusion with UTC offsets.
Frequently Asked Questions
lnav supports dozens of formats out of the box including syslog, Apache access/error, NGINX, Docker, journald, Python logging, Java log4j, and many more. Custom formats can be added via JSON format definition files.
Yes. lnav can read gzip and bzip2 compressed log files directly. This is useful for analyzing rotated log files without manually decompressing them first.
lnav parses log records into structured fields based on the detected format. You query these fields using SQLite-compatible SQL syntax. Each log format exposes different columns like timestamp, level, message, IP address, and HTTP status code.
Yes. lnav live-tails multiple files at once, merging new entries by timestamp as they arrive. This gives you a unified, chronological view of events across multiple services in real time.
Yes. You can pipe Docker logs to lnav or point it at Docker's JSON log files directly. lnav recognizes the Docker log format and parses container names, timestamps, and log levels automatically.
Citations (3)
- lnav GitHub— lnav is an advanced log file viewer with SQL and live tailing
- lnav Documentation— Log format auto-detection and custom format definitions
- lnav SQL Reference— SQLite-compatible queries against log records
Related on TokRepo
Discussion
Related Assets
SQLFluff — Modular SQL Linter and Auto-Formatter
A configurable SQL linter and formatter supporting over 20 SQL dialects, designed to enforce style rules and catch errors in data pipelines.
Turf.js — Advanced Geospatial Analysis for JavaScript
A modular geospatial analysis engine written in JavaScript and TypeScript for browsers and Node.js.
Jackett — Unified Torrent Indexer API for Media Automation
A proxy server that translates queries from media automation apps like Sonarr and Radarr into site-specific requests for torrent indexers, providing a single API interface.
Fluentd — Unified Logging Layer for Cloud-Native Infrastructure
Fluentd is a CNCF-graduated open-source data collector that unifies log collection and routing. With 1000+ plugins, it connects any source to any destination — the standard log layer for Kubernetes alongside Fluent Bit.