kelora 0.7.2

A command-line log analysis tool with embedded Rhai scripting
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193

# Kelora

**Scriptable log processor for the command line.**

Parse messy logs into structured events, then filter, transform, and analyze them with embedded [Rhai](https://rhai.rs) scripting.

!!! warning "Experimental Tool"
    Kelora is a [vibe-coded](https://en.wikipedia.org/wiki/Vibe_coding) experimental tool under active development. APIs and behaviour may change without notice.

## Examples

**Parse embedded formats inside syslog**

=== "Command"

    ```bash
    kelora -f syslog examples/simple_syslog.log \
      --exec 'if e.msg.contains("=") { e += e.msg.parse_logfmt() }' \
      --filter 'e.has_field("user")' \
      --keys timestamp,host,user,action,detail,message \
      -F json
    ```

=== "Output"

    ```bash exec="on" source="above" result="ansi"
    kelora -f syslog examples/simple_syslog.log \
      --exec 'if e.msg.contains("=") { e += e.msg.parse_logfmt() }' \
      --filter 'e.has_field("user")' \
      --keys timestamp,host,user,action,detail,message \
      -F json
    ```

=== "Log Data"

    ```bash exec="on" result="ansi"
    cat examples/simple_syslog.log
    ```

**Keep stacktraces together**

=== "Command"

    ```bash
    kelora examples/multiline_stacktrace.log \
      --multiline timestamp \
      --filter 'e.line.lower().contains("valueerror")' \
      --before-context 1 --after-context 1
    ```

=== "Output"

    ```bash exec="on" source="above" result="ansi"
    kelora examples/multiline_stacktrace.log \
      --multiline timestamp \
      --filter 'e.line.lower().contains("valueerror")' \
      --before-context 1 --after-context 1
    ```

=== "Log Data"

    ```bash exec="on" result="ansi"
    cat examples/multiline_stacktrace.log
    ```

**Track container activity with metrics**

=== "Command"

    ```bash
    kelora examples/prefix_docker.log --extract-prefix container \
      --exec 'e.level = e.line.between("[", "]")' \
      --metrics \
      --exec 'track_count(e.container); track_count(e.level)' \
      --keys container,level,line \
      -F csv
    ```

=== "Output"

    ```bash exec="on" source="above" result="ansi"
    kelora examples/prefix_docker.log --extract-prefix container \
      --exec 'e.level = e.line.between("[", "]")' \
      --metrics \
      --exec 'track_count(e.container); track_count(e.level)' \
      --keys container,level,line \
      -F csv
    ```

=== "Log Data"

    ```bash exec="on" result="ansi"
    cat examples/prefix_docker.log 
    ```

**Mask sensitive fields in JSON logs**

=== "Command"

    ```bash
    kelora -j examples/security_audit.jsonl \
      --exec 'if e.has_field("token") {
                let jwt = e.token.parse_jwt();
                e.role = jwt.get_path("claims.role", "guest")
              }' \
      --exec 'e.ip = e.ip.mask_ip(2)' \
      --keys timestamp,event,role,ip \
      -F json
    ```

=== "Output"

    ```bash exec="on" source="above" result="ansi"
    kelora -j examples/security_audit.jsonl \
      --exec 'if e.has_field("token") {
                let jwt = e.token.parse_jwt();
                e.role = jwt.get_path("claims.role", "guest")
              }' \
      --exec 'e.ip = e.ip.mask_ip(2)' \
      --keys timestamp,event,role,ip \
      -F json
    ```

=== "Logs Data"

    ```bash exec="on" result="ansi"
    cat examples/security_audit.jsonl
    ```

See the [Quickstart](quickstart.md) for a step-by-step tour with full output.

## What It Does

- **Parse** JSON, logfmt, syslog, CSV/TSV, Apache/Nginx logs, or custom formats
- **Filter** with Rhai expressions - keep events matching your conditions
- **Transform** with 100+ built-in functions - enrich, redact, extract, restructure
- **Analyze** with built-in metrics - track counts, sums, averages, distributions
- **Output** as logfmt, JSON, or CSV

## How It Works

Kelora processes logs through a streaming pipeline with composable stages:

```
Input → Parse → --exec → --filter → --exec → --filter → ... → Output
  ↓       ↓         ↓         ↓         ↓         ↓              ↓
Files   JSON   transform  narrow   enrich    narrow        logfmt
stdin   syslog                                              JSON
.gz     custom                                              CSV
```

Each `--filter` and `--exec` runs in the order specified, passing events forward. Chain them in any sequence to build multi-stage processing logic. Read the [Pipeline Model](concepts/pipeline-model.md) for details.

## Key Features

- **Resilient Processing** - Skip bad lines automatically, continue processing
- **Parallel Mode** - Process large archives using all CPU cores with `--parallel`
- **Sliding Windows** - Analyze events in context with `--window`
- **100+ Functions** - Rich built-in library for transformation and analysis
- **Format Conversion** - Read any format, write any format
- **Metrics Tracking** - Built-in counters, sums, averages, distributions

## Install

Download from **[GitHub Releases](https://github.com/dloss/kelora/releases)** (macOS, Linux, Windows) or:

```bash
cargo install kelora
```

## Learn More

- **[Quickstart](quickstart.md)** - 5-minute tour
- **[Tutorials](tutorials/parsing-custom-formats.md)** - Step-by-step guides
- **[How-To](how-to/find-errors-in-logs.md)** - Solve specific problems
- **[Concepts](concepts/pipeline-model.md)** - Understanding how Kelora works
- **[Reference](reference/functions.md)** - Functions, formats, CLI options

Run `kelora --help` for comprehensive command-line help screens, or browse the [example files on GitHub](https://github.com/dloss/kelora/tree/main/examples).

## Works Well With

Kelora focuses on normalising noisy logs into structured data. Reach for it when you need programmable filtering, enrichment, or windowed analytics in one streaming pipeline—and pair it with the tools below when you need deeper visualisation or post-processing:

- **[jq](https://jqlang.github.io/jq/)** — process Kelora's JSON output for complex transformations, filtering, or reformatting
- **[lnav](https://lnav.org/)** — explore Kelora's output in an interactive TUI with live filtering, histograms, and ad-hoc SQL queries
- **[qsv](https://github.com/jqnatividad/qsv)** — analyze Kelora's CSV output with statistical operations, joins, and aggregations
- **[SQLite](https://www.sqlite.org/)/[DuckDB](https://duckdb.org/)** — load Kelora's CSV/JSON output into a database for SQL queries and reporting
- **[miller](https://github.com/johnkerl/miller)** — transform Kelora's CSV output for reshaping, aggregating, and format conversion

## License

Kelora is open source software licensed under the [MIT License](https://github.com/dloss/kelora/blob/main/LICENSE).