Supported Log Formats

loq automatically detects these log formats:

JSON

JSON Lines format - one JSON object per line.

{"timestamp":"2024-01-15T10:00:00Z","level":"error","message":"Failed"}
{"time":"2024-01-15T10:00:01Z","severity":"info","msg":"OK"}

Automatically normalizes common field names:

• timestamp, time, ts, @timestamp → timestamp
• level, severity, lvl → level
• message, msg, text, log → message

Apache / Nginx

Combined Log Format:

192.168.1.1 - - [20/Dec/2024:10:00:00 +0000] "GET /api HTTP/1.1" 200 1234 "http://example.com" "Mozilla/5.0"

Syslog

RFC 3164 (BSD) and RFC 5424 formats:

Dec 20 12:34:56 myhost myapp[1234]: Message here
<165>1 2024-01-15T10:00:00.000Z myhost myapp 1234 ID47 - Message

CLF (Common Log Format)

127.0.0.1 - - [10/Oct/2000:13:55:36 -0700] "GET /index.html HTTP/1.0" 200 2326

Plain Text (Fallback)

When loq doesn't recognize a log format, it falls back to plain text mode:

Application started successfully
ERROR: Something went wrong
[2024-01-15] Custom format not recognized

Limitations of plain text mode:

• The entire line is stored as message
• No level, timestamp, or other fields are extracted
• Field-based queries like level=error won't match

Workarounds:

1. Use message contains instead of field queries:

   loq app.log where message contains "ERROR"
   loq app.log where message matches "^ERROR:"

2. Create a custom format to properly parse your logs

Tip: For best results, use structured logging (JSON) in your applications. This gives you full query capabilities on any field.