Skip to main content
Zeal reads the first line of your log file and infers the format — no flags or configuration required. The same query syntax works identically across all formats.

Detection rules

FormatDetectionExample
JSONFirst line starts with {{"level":"error","message":"timeout"}
logfmtFirst line has ≥2 key=value pairslevel=error msg="timeout" req=abc
syslogFirst line starts with a month abbreviation (Jan) or <priority> tagJan 15 10:30:00 myhost myapp[1234]: error
Plain textEverything else2024-01-15 10:30:06 ERROR timeout
Detection runs once on the first non-empty line. Every subsequent line in the file is parsed with the same format.

Auto-mapped fields

Several common field name variations are normalized automatically so that standard filters like level = "error" work regardless of how the field was named in your logs.
Canonical fieldRecognized aliases
levellvl, severity, log_level, loglevel
messagemsg, text, body
timestampts, time, t, @timestamp, datetime, date
raw / lineThe original unparsed log line
For example, a Go app that writes lvl=warn and a Java app that writes severity=WARN both match WHERE level = "warn".

Format pages

JSON

Structured JSON logs with full field access and numeric comparisons.

logfmt

Key-value format used by Go apps, Heroku, and many cloud services.

Plain text

Syslog, Apache access logs, and any other line-based format.

Build docs developers (and LLMs) love

Get started for freeTalk to us