Real-time log navigation with less

Whether it’s active development, deployment process or production run time, we developers always need to know what’s happening. And that information is available to us via the log files. We work in real time, and our logs reflect that, there is a lot of information in there; and many times we need to watch those logs in real time to analyze what is happening.

So, how do we read a file that is being appended to while we’re reading it?

The first command we usually learn for following a log file is tail, throw a -f option on at the command line, and we’re all set. Until the line in the log we’re looking for scrolls right past us and out of the buffer.

log navigation with less

Another handy command in our tool box for reading log files is less. As a pager program less allows us to navigate around and search for strings. Now that is useful for analyzing log content. But what about following the entries to the log file as they are appended? After all, we’re interested in the real-time actions.

less has a feature that is not well documented which allows us to follow a log file just like using tail -f, with the added benefit of file navigation and search. A file such as a web server access log, or an application debug log, is a great option to see this real-time appending in action.

Let’s put this to work!

$ less /var/log/foo.log

this enters us into a page view of the log, at the first line. Navigation now is as simple as using the up/down arrows or the letters j & k. This is basic functionality, well documented in the less man pages.

Quickly jump to the end of the file

While in the standard page view of a file in less, you can quickly jump to the end of the file with shift + g

log text line
log text line
last line of log on this page
:

<shift + g>

jump to last line in the file
(END)

We’re at the end of the file, but we care about what is being appended to the file right now, and all we see is the last line written to the file when we opened it. shift + f puts us into follow mode. Now we have the same functionality as tail -f, with more power. Now we can observe the real-time content appended to the log file we’re reading.

Search the File

To return to standard pager mode we use ctrl + c. In this mode we can use the search features in less:

/<search term> : searches forward in the file for ; highlights located term

?<search term> : searches backward in the file for ; highlights the located term

n : finds the next location of in the direction you are searching

shift + n : finds the previous location of in the opposite direction you are searching

Follow the term

After we enter search mode, whenever the term appears in the log it will be highlighted. Jumping forward and backward in the file, the term remains highlighted. Let’s use that to help watch the logs for our search term while the log is being written.

A simple shift + g jumps us the end of the file, then we shift + f to follow. Now as the log is appended with real-time activity we can watch the file for our search term, it will be highlighted.

Some judicious use of the commands we’ve learned help us to follow real-time and navigate backward and forward. If we have a search term defined, and watched it scroll past us amongst the other useful comments in log file, we can get back there quickly.

ctrl + c : cancel follow mode

shift + n : search backward in the file for our search term

less Is more

After I learned about the follow feature of less it became my default log reading command. The flexibility of the features I’ve described above have made log navigation much easier for real-time analysis.