This chapter contains an overview of how to use lnav.

Basic Controls

Like most file viewers, scrolling through files can be done with the usual hotkeys. For non-trivial operations, you can enter the command prompt by pressing :. To analyze data in a log file, you can enter the SQL prompt by pressing ;.


Check the bottom right corner of the screen for tips on hotkeys that might be useful in the current context.


When lnav is first open, it suggests using e and Shift + e to jump to error messages.

Viewing Files

The files to view in lnav can be given on the command-line or passed to the :open command. A glob pattern can be given to watch for files with a common name. If the path is a directory, all of the files in the directory will be opened and the directory will be monitored for files to be added or removed from the view. If the path is an archive or compressed file (and lnav was built with libarchive), the archive will be extracted to a temporary location and the files within will be loaded. The files that are found will be scanned to identify their file format. Files that match a log format will be collated by time and displayed in the LOG view. Plain text files can be viewed in the TEXT view, which can be accessed by pressing t.

Archive Support

If lnav is compiled with libarchive, any files to be opened will be examined to see if they are a supported archive type. If so, the contents of the archive will be extracted to the $TMPDIR/lnav-user-${UID}-work/archives/ directory. Once extracted, the files within will be loaded into lnav. To speed up opening large amounts of files, any file that meets the following conditions will be automatically hidden and not indexed:

  • Binary files

  • Plain text files that are larger than 128KB

  • Duplicate log files

The unpacked files will be left in the temporary directory after exiting lnav so that opening the same archive again will be faster. Unpacked archives that have not been accessed in the past two days will be automatically deleted the next time lnav is started.

Remote Files

Files on remote machines can be viewed and tailed if you have access to the machines via SSH. First, make sure you can SSH into the remote machine without any interaction by: 1) accepting the host key as known and 2) copying your identity’s public key to the .ssh/authorized_keys file on the remote machine. Once the setup is complete, you can open a file on a remote host using the same syntax as scp(1) where the username and host are given, followed by a colon, and then the path to the files, like so:


For example, to open /var/log/syslog.log on “” as the user “dean”, you would write:


Remote files can also be opened using the :open command. Opening a remote file in the TUI has the advantage that the file path can be TAB-completed and a preview is shown of the first few lines of the file.


If lnav is installed from the snap, you will need to connect it to the ssh-keys plug using the following command:

sudo snap connect lnav:ssh-keys


Remote file access is implemented by transferring an αcτµαlly pδrταblε εxεcµταblε to the destination and invoking it. An APE binary can run on most any x86_64 machine and OS (i.e. MacOS, Linux, FreeBSD, Windows). The binary is baked into the lnav executable itself, so there is no extra setup that needs to be done on the remote machine.


Any log messages that are loaded into lnav are indexed by time and log level (e.g. error, warning) to make searching quick and easy with hotkeys. For example, pressing e will jump to the next error in the file and pressing Shift + e will jump to the previous error. Plain text searches can be done by pressing / to enter the search prompt. A regular expression can be entered into the prompt to start a search through the current view.


To reduce the amount of noise in a log file, lnav can hide log messages that match certain criteria. The following sub-sections explain ways to go about that.

Regular Expression Match

If there are log messages that you are not interested in, you can do a “filter out” to hide messages that match a pattern. A filter can be created using the interactive editor, the :filter-out command, or by doing an INSERT into the lnav_view_filters table.

If there are log messages that you are only interested in, you can do a “filter in” to only show messages that match a pattern. The filter can be created using the interactive editor, the :filter-in command, or by doing an INSERT into the lnav_view_filters table.

SQLite Expression

Complex filtering can be done by passing a SQLite expression to the :filter-expr command. The expression will be executed for every log message and if it returns true, the line will be shown in the log view.


To limit log messages to a given time frame, the :hide-lines-before and :hide-lines-after commands can be used to specify the beginning and end of the time frame.

Log level

To hide messages below a certain log level, you can use the :set-min-log-level.

Search Tables


Taking Notes

A few of the columns in the log tables can be updated on a row-by-row basis to allow you to take notes. The majority of the columns in a log table are read-only since they are backed by the log files themselves. However, the following columns can be changed by an UPDATE statement:

  • log_part - The “partition” the log message belongs to. This column can also be changed by the :partition-name command.

  • log_mark - Indicates whether the line has been bookmarked.

  • log_comment - A free-form text field for storing commentary. This column can also be changed by the :comment command.

  • log_tags - A JSON list of tags associated with the log message. This column can also be changed by the :tag command.

While these columns can be updated by through other means, using the SQL interface allows you to make changes automatically and en masse. For example, to bookmark all lines that have the text “something interesting” in the log message body, you can execute:

;UPDATE all_logs SET log_mark = 1 WHERE log_body LIKE '%something interesting%'

As a more advanced example of the power afforded by SQL and lnav’s virtual tables, we will tag log messages where the IP address bound by dhclient has changed. For example, if dhclient reports “bound to” initially and then reports “bound to”, we want to tag only the messages where the IP address was different from the previous message. While this can be done with a single SQL statement 1, we will break things down into a few steps for this example. First, we will use the :create-search-table command to match the dhclient message and extract the IP address:

:create-search-table dhclient_ip bound to (?<ip>[^ ]+)

The above command will create a new table named dhclient_ip with the standard log columns and an ip column that contains the IP address. Next, we will create a view over the dhclient_ip table that returns the log message line number, the IP address from the current row and the IP address from the previous row:

;CREATE VIEW IF NOT EXISTS dhclient_ip_changes AS SELECT log_line, ip, lag(ip) OVER (ORDER BY log_line) AS prev_ip FROM dhclient_ip

Finally, the following UPDATE statement will concatenate the tag “#ipchanged” onto the log_tags column for any rows in the view where the current IP is different from the previous IP:

;UPDATE syslog_log SET log_tags = json_concat(log_tags, '#ipchanged') WHERE log_line IN (SELECT log_line FROM dhclient_ip_changes WHERE ip != prev_ip)

Since the above can be a lot to type out interactively, you can put these commands into a script and execute that script with the | hotkey.


The expression regexp_match('bound to ([^ ]+)', log_body) as ip can be used to extract the IP address from the log message body.