Skip to main content
Plain text is the fallback format for any file that does not look like JSON or logfmt. This covers syslog, Apache/nginx access logs, Java stack traces, and any other unstructured line-based output.

Detection

Zeal recognizes two related formats for unstructured logs:
  • syslog — detected when the first line starts with a month abbreviation (RFC 3164: Jan 15 10:30:00 ...) or an RFC 5424 priority tag (<13>...). Zeal uses a dedicated syslog parser internally.
  • plain text — the fallback for everything else that isn’t JSON, logfmt, or syslog.
Both formats use the same query syntax and field detection heuristics.

Example log lines

2024-01-15 10:30:06 ERROR Connection timeout for request abc123
Jan 15 10:30:06 myhost myapp[1234]: ERROR Connection timeout
192.168.1.1 - - [15/Jan/2024:10:30:06 +0000] "GET /api/users HTTP/1.1" 500 1234

Query examples

CONTAINS is the most reliable operator for plain text because the entire line is available as message: 
zeal 'FROM /var/log/syslog WHERE message CONTAINS "timeout"'
zeal 'FROM /var/log/apache/access.log WHERE message CONTAINS "500"'
zeal 'FROM /var/log/syslog WHERE level = "error"'

Level and timestamp extraction

For plain text lines, Zeal attempts to detect level and timestamp automatically using common patterns:
  • [ERROR] / [WARN] bracketed tokens
  • Bare level words: ERROR, WARN, WARNING, INFO, DEBUG, TRACE, FATAL, CRITICAL
  • ISO 8601 / space-separated timestamps at the start of the line: 2024-01-15T10:30:06Z or 2024-01-15 10:30:06
When a level word is found, WHERE level = "error" works as expected. When it is not found, level is reported as unknown and equality filters on it will not match.
Field extraction for plain text is best-effort. CONTAINS searches the full raw line and is always reliable. Structured field filters (=, >=, etc.) depend on successful pattern detection.

Build docs developers (and LLMs) love

Get started for freeTalk to us