# lnav — The Logfile Navigator with SQL and Live Tailing

> lnav is an advanced log file viewer that understands dozens of log formats, provides SQL queries against log records, live-tails rotating files, and timestamps-merges multiple logs into one view.

## Install

Save as a script file and run:

# lnav — The Logfile Navigator with SQL and Live Tailing

## Quick Use
```bash
brew install lnav
# Tail many logs, merged by timestamp
lnav /var/log/nginx/access.log /var/log/app/*.log
# Inside lnav
:go 15:30                       # jump to time
;SELECT c_ip, COUNT(*) FROM nginx_log GROUP BY c_ip ORDER BY 2 DESC
/error                          # search
:filter-out heartbeat
```

## Introduction
`lnav` is the Swiss Army knife for log triage. It recognizes syslog, nginx, Apache, JSON, generic timestamped lines, and lets you pivot freely between viewing, searching, filtering, and full SQL querying. Multiple logs open in one buffer are merged by time, so you can see your app, proxy, and db correlated in a single scroll.

## What lnav Does
- Opens log files with format detection (syslog, json, nginx, access_log, etc.).
- Merges multiple files by timestamp into a single stream.
- Lets you SQL-query the current buffer: `;SELECT ...`.
- Live-tails rotating/truncated files.
- Histogram view of error density over time.

## Architecture Overview
lnav's format library parses each file into schema'd rows exposed as SQLite virtual tables. A ncurses renderer shows a merged view; a SQL engine executes interactive queries on the rolling window. Rotations are detected via inode changes and handled transparently.

## Self-Hosting & Configuration
- Install via brew, apt, dnf, dnf, pacman.
- Format definitions JSON under `~/.config/lnav/formats/`.
- `:config` editor inside the tool.
- SSH-over-stdin: `ssh host "tail -f /var/log/app.log" | lnav`.
- Marks and bookmarks persist per file.

## Key Features
- Real-time merged tail of many files.
- SQL over structured logs.
- Format library covers most real-world logs.
- Histogram + spectrogram views to spot anomalies.
- Bookmarks, marks, filters stack cleanly.

## Comparison with Similar Tools
- **tail -f / multitail** — basic; no format parsing or SQL.
- **goaccess** — nginx analytics dashboard; narrower.
- **angle-grinder (ag)** — pipeline DSL for logs; different style.
- **vector/fluent-bit** — pipelines for shipping; not for reading.
- **Grafana Loki + grafana** — persistent solution; lnav is local triage.

## FAQ
**Q: Binary logs?**
A: No; text only. Use `journalctl` piped in for journal.

**Q: Add a custom format?**
A: JSON file in `~/.config/lnav/formats/myapp/format.json`.

**Q: Windows?**
A: Experimental; WSL recommended.

**Q: Query a past window?**
A: `;SELECT * FROM app_log WHERE log_time BETWEEN ...`.

## Sources
- https://github.com/tstack/lnav
- https://lnav.org

---
Source: https://tokrepo.com/en/workflows/4493f997-38c4-11f1-9bc6-00163e2b0d79
Author: Script Depot