v0.3.0 · MIT OR Apache-2.0

jq with memory.

Self-hosted log query for engineers who don't want a Datadog bill. Single binary, SQLite-backed, no daemon, no agent, no account.

$ cargo install logdive
View on GitHub
The query language

Filters that read like English. Time ranges that just work.

Boolean expressions over fields, with first-class time windows and JSON path extraction. No regex required for the common case.

~/services/payments — logdive
$logdive query 'level=error AND service=payments last 2h'
All errors from the payments service in the last 2 hours.
$logdive query '(level=error OR level=warn) AND service=payments' --output json
Pipe results downstream — output is line-delimited JSON.
$logdive query 'message contains "timeout" last 24h'
Substring match on the message body. Highlighted token is the literal you're searching for.
Performance

Fast enough that grep starts to feel slow.

Measured on the project's own criterion suite against a 100k-row corpus. Your hardware will vary; the shape of the numbers won't.

189k lines/s
Batched ingest throughput. Sustained, not peak.
150k lines/s
End-to-end parse + ingest, JSON in, indexed out.
23µs
Indexed-field query against 100k rows.
4.1ms
json_extract field query against 100k rows.

Full-table CONTAINS scans land at 35–38 ms over 100k rows. Run cargo bench for your own baseline.

What you get

Three things, done well.

Local-first

One binary, one SQLite file. No daemon to babysit, no cloud account to authorize, no agent to ship logs anywhere. Your data stays on the machine that produced it.

Fast queries

SQLite handles the storage. blake3 deduplicates content hashes. json_extract reaches into structured payloads without re-parsing. Microsecond reads on indexed fields.

Multi-format ingestion

JSON for the modern stack. logfmt for the old guard. Plain text for everything else. logdive sniffs the format per-line and normalizes into a single queryable shape.

Architecture

A three-crate workspace.

The core does the work. The CLI is a thin wrapper. The API is read-only and optional. You can use one without the other two.

 
logdive/
├── logdive-core 
├── logdive 
└── logdive-api
When to reach for logdive

And, more importantly, when not to.

logdive is for one machine — a laptop, a VPS, a single Kubernetes node. You point it at log files or a stdin stream, you query them later. That's the whole product. It replaces the loop of grep | jq | awk with something that has indexes and time ranges.

Loki is the right answer when you have a fleet and you're already running Prometheus. Datadog is the right answer when someone else is paying the bill and you want a polished UI. Elastic is the right answer when you need full-text search at scale and have an ops team to run the cluster.

logdive is what you reach for in the gap below all of that — when the alternative isn't another observability platform, it's a fifteen-line shell pipeline that you'd rather not write again.

Honest limit: if you have more than one machine producing logs, logdive is the wrong tool. There is no clustering, no cross-host index, no shipping protocol. Use Loki.

Project status

Project status.

All issues on GitHub

Now

Active development. Currently building v0.4.0.

  • Large-corpus benchmark suite

    Extend criterion benchmarks to 500k-row datasets; profile OR fanout, CONTAINS scans, and json_extract() call overhead.

  • Query latency improvements

    Target sub-10ms for 25%-match queries at 500k rows on indexed fields. Profile and reduce allocations in the executor hot path.

Next

Planned for the next release or two. Likely to ship.

  • Structured output formats: yaml, csv

    Add --output yaml and --output csv to logdive query for pipeline-friendly output.

  • Windows support for --follow mode

    Rotation and truncation detection on NTFS using ReadDirectoryChangesW.

  • Configurable retention by source

    Let prune --older-than vary per source tag instead of one global cutoff.

Later

Under consideration. No timeline, may not happen.

  • Authentication for the HTTP API
    waiting on feedback

    Currently a non-goal. Reconsidering only if the localhost-only stance is causing real pain.

  • Multi-file ingest with glob patterns
    considering
  • Aggregations: count, distinct, group-by
    considering
  • Browser-based query UI
    needs spec

    Listed for completeness; explicit v1 non-goal. Would need a separate crate and a real design pass.

Recently shipped

Full history in CHANGELOG.md on GitHub.

  1. v0.3.0 5 June 2026
    • Parenthesised query groups: (level=error OR level=warn) AND service=payments.
    • CLI pagination: --offset N on logdive query; HTTP offset= parameter on GET /query.
    • Case-insensitive level queries: level=ERROR matches level=error via expression index.
    • Distroless Docker runtime (gcr.io/distroless/cc-debian12:nonroot); --health-check flag replaces curl.
    • Breaking: logdive query --format renamed to --output; execute() now takes QueryOptions { limit, offset }.
  2. v0.2.1 1 June 2026
    • Security test suite: SQL injection, LIKE wildcard escaping, resource exhaustion (1k-disjunct OR, 10 MB line).
    • Functional tests: proptest property-based, cross-format dedup, concurrent CLI ingest, parser edge cases, follow-mode, API integration, prune boundary.
    • Supply-chain hardening: cargo-deny, SBOM via cargo-cyclonedx, daily audit CI, CI permissions: contents: read.
    • Allocation improvements: LogEntry::with_tag takes &str, entry_to_json_string avoids clone per HTTP row.
  3. v0.2.0 15 May 2026
    • Added OR to the query language — (level=error OR level=warn) AND service=payments.
    • Ingestion now accepts logfmt and plain-text lines alongside JSON.
    • New --follow mode tails files with rotation and truncation detection.
    • Introduced the prune subcommand for time-based retention with --older-than.
    • HTTP API gained /version and /capabilities endpoints, plus configurable CORS.
    • Docker image is now multi-stage and multi-arch, down to ~9 MB compressed.
  4. v0.1.0 19 April 2026
    • Initial release with ingest, query, and stats subcommands on the CLI.
    • SQLite-backed local indexing with blake3 content hashing for dedup.
    • Typed query language supporting AND, =, !=, >, <, contains, last, and since.
    • Read-only HTTP server exposing /query as NDJSON and /stats as JSON.

Looking for something that isn't here? Check the v1 non-goals — some things are intentionally out of scope.

Get it

Install in one command.

Pick whichever your build pipeline already understands.

 $ cargo install logdive
$ cargo install logdive-api # optional, for the HTTP server 
 $ docker pull ghcr.io/aryagorjipour/logdive:0.3.0$ docker run -d \
    --name logdive \
    -v logdive-data:/data \
    -p 4000:4000 \
    ghcr.io/aryagorjipour/logdive:0.3.0
 $ git clone https://github.com/Aryagorjipour/logdive
$ cd logdive
$ cargo build --release
$ ./target/release/logdive --version