LogSense User Guide

LogSense is a fully browser-based log analysis tool. It parses your log files, detects patterns, surfaces root causes, and gives you a navigable timeline of what happened - all without sending a single byte to any server.

Everything runs in your browser. No account, no upload, no backend. Your logs never leave your machine.

Getting Started

There are four ways to load a log into LogSense:

Drag & Drop - drag one or more log files from your file manager and drop them anywhere on the app window.
Upload button - click Upload Log File on the home screen and select a file.
Paste text - click the Paste / type logs area and paste raw log content directly.
Demo log - click Try the demo to load a simulated production incident log that showcases all features.

Once loaded, LogSense automatically detects the format, parses all entries, runs analysis, and opens the log viewer.

Adding more files

Click + Add Files in the top bar while a log is already loaded. If the new file is the same format as the current log (e.g. two PHP logs), they are merged and re-analyzed together. If the formats differ, you will be asked whether to start fresh or merge anyway.

Starting over

Click the LogSense logo in the top-left, or use the New analysis (clear) command in the Command Palette. A confirmation dialog will appear before clearing.

Supported Log Formats

LogSense auto-detects the format by scoring the first 50 lines against known patterns. It picks whichever format scores highest, then falls back to generic parsing for anything that doesn't match a known structure.

Format	Auto-detected?	Timestamp style	Notes
Nginx error log	Yes	`2024/01/15 10:30:45`	Parses severity, client IP, upstream info
Nginx access log	Yes	`[15/Jan/2024:10:30:45 +0000]`	Combined Log Format; status code, bytes, referrer, UA
Apache error log	Yes	`[Mon Jan 15 10:30:45]`	Supports `client` and module annotations
Apache access log	Yes	`[15/Jan/2024:10:30:45 +0000]`	Same as Nginx access format detection
PHP error log	Yes	`[15-Jan-2024 10:30:00 UTC]`	Parses Fatal, Warning, Notice, Deprecated. Custom debug lines with the same bracket-timestamp prefix also parsed. Stack traces grouped under their parent error.
Syslog RFC 3164	Yes	`Jan 15 10:30:45`	No year in timestamp - current year assumed
Syslog RFC 5424	Yes	`2024-01-15T10:30:45Z`	Full structured syslog with facility/severity codes
JSON logs	Yes	Any ISO / epoch field	Reads `level`, `message`, `timestamp`, `service` and common aliases. Supports Pino numeric levels.
Node.js Winston	Yes	`2024-01-15T10:30:45Z`	`LEVEL: message` format after ISO timestamp
Node.js Pino	Yes	Epoch milliseconds	Detected as JSON; numeric level field decoded
Generic / mixed	Fallback	Any recognizable pattern	Tries ISO 8601, epoch ms/s, YYYY/MM/DD, DD-Mon-YYYY, Apache bracket, syslog month-day. Extracts severity keywords from text.

What if my log isn't on this list?

LogSense's generic parser will still attempt to extract a timestamp and severity from each line using a broad set of patterns. As long as your log has recognizable timestamps and severity keywords (ERROR, WARN, INFO, DEBUG, etc.) in each line, it should parse reasonably well. Lines it cannot parse are shown as Unknown severity.

Multi-line entries

Stack traces and continuation lines are automatically attached to their parent log entry. PHP stack frames (#0 /path/file.php(line):), Java/Node at … frames, Python tracebacks, and Ruby frames are all recognized. The full trace is shown in the Detail Panel when you open an entry.

Log Viewer

The main log view uses virtual scrolling - only the rows currently visible on screen are rendered. This allows LogSense to handle 100,000+ line logs without slowdown or memory issues, regardless of how large the file is.

Log row anatomy

Line number (optional) - original file line number, toggleable in Settings.
Timestamp (optional) - parsed time of the entry. Shown in your local timezone. Toggle in Settings.
Severity badge - color-coded: ERROR, WARN, INFO, DEBUG, UNKNO.
Source tag (optional) - the detected service or file source (e.g. nginx, php, app).
Message - the log message with search terms highlighted when searching.
Duplicate count badge - shown on the right when entries are grouped (e.g. ×71). Click to expand.
Stack / Root cause badge - stack if the entry has a stack trace; root cause pattern label if detected.
Timeline annotation - ⚡ Peak failure, ✅ Recovery, 📍 Event - attached to key entries identified during analysis.

Selecting entries

Click any row to select it and open the Detail Panel on the right. The panel shows the full raw line, parsed fields, stack trace with syntax highlighting, and contextual entries around it.

Navigation header

Above the log: total entry count (filtered vs. total), a First error jump button, and a Copy button that copies all visible filtered lines to the clipboard.

Filtering & Search

The left sidebar contains all filter controls. Filters are cumulative - all active filters must pass for an entry to be shown.

Search

Type in the search box to filter by message content, source, or filename. The search is case-insensitive by default.

Regex checkbox - enables regular expression search (e.g. error|fail, \bTimeout\b).
Case checkbox - makes search case-sensitive.

Severity

Toggle Error, Warning, Info, Debug, and Other on/off to hide entire severity levels.

Source

When a log contains entries from multiple detected sources (e.g. nginx + php + app), per-source checkboxes appear. Uncheck a source to hide all its entries.

Display options

Show noise - unhides entries that were auto-classified as noise. Noise detection applies to access logs only: health check endpoints (/health, /ping, /metrics), static asset requests (.css, .js, images), and known bot user-agents (Googlebot, etc.). The noise count is shown in the sidebar stats when noise is present. For application logs (PHP, syslog, JSON) this option has no effect because no noise is detected in those formats.
Group duplicates - collapses identical or near-identical messages into a single row with a repeat count. See Deduplication for how this works.
Bookmarks only - shows only entries you've bookmarked with b.
Errors only - quick filter that hides everything except ERROR-level entries.

Time range filter

Click and drag on the Timeline Minimap to select a time window. Only entries within that range will be shown. A "clear" link appears above the log to reset the range. This feature is only available when the log has parseable timestamps.

Deduplication

When Group duplicates is enabled (default), LogSense groups entries that share the same deduplification key. The first occurrence is shown with a badge counting how many times it repeated (e.g. ×71).

How the key is computed

The message is normalized before comparison:

Numbers are stripped (so user_id=1234 and user_id=5678 deduplicate together)
UUIDs, IPs, hex strings, and long tokens are removed
Whitespace is collapsed
The result is truncated to 80 characters

This means a burst of 1,000 near-identical errors like "MySQL: Too many connections (max_connections=151 current=152)" collapses to one row so you can focus on the signal, not the repetition.

Disabling the checkbox immediately re-renders all individual entries.

Noise Filtering

Noise filtering is designed for access logs (nginx, Apache). It automatically hides entries that are routine and rarely relevant to incidents:

Health-check and liveness probes: /health, /healthz, /ping, /status, /ready, /metrics
Static asset requests: .css, .js, fonts, images, favicon.ico, robots.txt
Known crawler bots: Googlebot, Bingbot, DuckDuckBot, YandexBot, facebookexternalhit, etc.
Kubernetes health probes (kube-probe/) and ELB health checkers
HEAD / requests

4xx and 5xx responses are never classified as noise, even if they match a health-check path.

For application logs (PHP, syslog, JSON, Node.js), nothing is classified as noise - the Show noise toggle will have no visible effect on those log types.

The sidebar stats show how many entries are noise-hidden (e.g. 47 noise hidden) when applicable.

Timeline Minimap

The horizontal bar chart above the log viewer shows your entire log's activity compressed into a single view - the x-axis is real time, not entry count. Each bar represents a time bucket (minimum 1 minute). Bar height shows total entries; color layers show Error (red), Warn (amber), and Info (blue) proportions.

Navigating with the minimap

Click anywhere on the minimap to jump to that point in time.
Drag left/right to scrub through the log continuously.
Hover to see a tooltip with the time and entry counts for that bucket.
The blue viewport box shows your current scroll position relative to the full time range.
The minimap spike marker (⚡ label) marks the peak error bucket.

When there are no timestamps

If your log has no parseable timestamps, the timeline minimap is hidden entirely and a notice is shown: "No timestamps detected - timeline unavailable. Entries are shown in file order." All other features (filtering, search, deduplication, DNA sidebar) work normally.

The minimap uses real time on its x-axis. If your log spans months (e.g. a development debug log with entries from June and October), the error spike will appear at the correct point in that time range - it is not proportional to entry count.

Log DNA Sidebar

The narrow vertical strip on the right edge of the log viewer is the Log DNA - a pixel-level fingerprint of your entire log. Every entry maps to a colored pixel (or band of pixels if the log is very long), letting you see severity patterns across 100,000+ lines at a glance.

Color coding

■ Red - errors
■ Amber - warnings
■ Blue (faint) - info
■ Dark - debug / unknown

The intensity scales with density - a solid block of errors in a short window looks bright red, while scattered errors over a long run appear as faint red pixels.

Interaction

Click anywhere on the DNA to jump to that position in the log.
Drag up/down to scrub continuously.
Hover to see a tooltip with the percentage position, timestamp (if available), and nearby severity counts.
The purple outline box shows your current viewport position relative to the full log.
Key events annotated from the Summary are shown as tick marks on the DNA strip.

The DNA always reflects the current filtered list - if you filter to errors only, the DNA shows only error entries.

Log Comparison

The Compare button (top bar, next to Add Files) lets you load a second log file and see exactly what changed between the two. This is useful when comparing a before/after deployment, two different servers, or logs from two time windows.

How to use

Load your base log as usual (Log A).
Click the Compare button in the header. The log viewer splits into two panels.
Drop or browse for a second log file (Log B) into the right panel.
LogSense computes the diff and highlights differences in both panels.
Click Compare again (or the x in the right panel header) to exit compare mode.

Diff highlighting

Red border - entries in Log A that do not appear in Log B (only in base)
Green border - entries in Log B that do not appear in Log A (new in compare)
Uncolored entries appear in both logs

How matching works

Entries are matched by their deduplication key - the same normalized message used for the Group duplicates feature (numbers, IPs, UUIDs stripped). Two entries match if their normalized messages are equivalent, even if the exact values differ. For example, "user_id=1234 timed out" in Log A matches "user_id=5678 timed out" in Log B.

Diff summary bar

When compare mode is active, a bar appears above the log panels showing: shared (in both logs), only in A (removed/resolved), and new in B (added/appeared). Each panel header also shows its unique-to-that-panel count.

All existing filters (severity, search, time range) apply independently to each panel. The diff computation always uses the full unfiltered log, so filtering one panel does not affect the other.

Summary Tab

After analysis, the Summary tab generates a human-readable incident narrative. It is produced entirely by deterministic rules - no AI, no API calls, no internet required.

What's in the summary

Incident overview - one-paragraph description of what happened, when it started, when it resolved (if detected), and how many entries were involved.
Root cause - the most likely cause, with confidence score and supporting evidence. Detected by matching entries against a library of known patterns (database exhaustion, OOM, certificate errors, auth failures, etc.).
Timeline - key events extracted from the log in chronological order, with their severity and timestamps.
Top errors - the most frequent error messages, deduplicated.
Recommendations - actionable steps based on the detected root cause pattern.

Timeline annotations in the log viewer

Key events from the Summary timeline are matched back to their nearest log entry and shown as floating badges in the log rows: ⚡ Peak failure, ✅ Recovery, 📍 Event name.

Insights Tab

The Insights tab provides statistical charts and breakdowns:

Activity chart - error/warn/info counts over time with time-axis labels.
Severity breakdown - proportional bar showing error vs. warn vs. info vs. debug.
Top error messages - the most frequent unique errors, ranked by count.
Top sources - which services or files produced the most entries.
Anomaly detection - Z-score analysis flags time windows where the error rate was statistically unusual (e.g. "Error spike detected: 3.2× above baseline").
Root cause panel - same root cause data as Summary, with confidence score and pattern name.

AI Analysis (PRO)

The free version of LogSense includes fully deterministic, rule-based analysis - no AI, no external API calls, no internet required. Everything described in this guide is available to everyone, forever, at no cost.

The AI Analysis tab in the app is reserved for the PRO variant, which layers a real language model on top of the existing analysis engine to unlock capabilities that rules alone cannot provide:

PRO AI features

Natural language Q&A - ask questions about your log in plain English. "Why did the service restart at 14:08?" or "What caused the connection pool to saturate?"
Intelligent root cause narrative - instead of pattern-matched labels, the AI writes a detailed explanation of what happened, why it happened, and what the chain of events was.
Custom pattern recognition - the AI identifies anomalies and patterns specific to your application that are not in any built-in rule library.
Automated remediation suggestions - concrete, context-aware steps to fix the issue based on your actual stack and error messages, not generic advice.
Cross-log correlation - upload multiple logs (application + database + nginx) and the AI reasons across all of them to find relationships between events in different systems.
Executive summary export - generates a concise incident report suitable for sharing with non-technical stakeholders, in your format of choice.

Contact us for a PRO license quote

PRO is a commercial license aimed at teams and organisations that need AI-powered analysis on sensitive infrastructure logs - with all the same privacy guarantees as the free version (the AI runs via a private API endpoint, log data is not stored or used for training).

Command Palette

Press ⌘K (Mac) or Ctrl+K (Windows/Linux) to open the Command Palette. You can also click the Search ⌘K button in the top-right header.

The palette has two modes:

Commands - type any keyword to find and run any app action (jump to first error, export, open settings, clear filters, toggle options, load demo, start new analysis…).
Log search - type 2+ characters to search log entries in real time. Matching entries appear in the results; press Enter or click to jump directly to that entry.

Navigate results with ↑ / ↓, run with Enter, close with Esc.

Keyboard Shortcuts

Key	Action
`j` / `↓`	Move selection down one entry
`k` / `↑`	Move selection up one entry
`Enter`	Open detail panel for selected entry
`Esc`	Close detail panel / close any modal
`n`	Jump to next error (opens detail panel)
`p`	Jump to previous error (opens detail panel)
`b`	Toggle bookmark on selected entry
`f`	Focus search box
`⌘K` / `Ctrl+K`	Open Command Palette
`⌘,` / `Ctrl+,`	Open Settings

Settings

Open via the gear icon (top right) or ⌘, / Ctrl+,.

Display

Log font size - Small (11px), Medium (12.5px), Large (14px). Affects only the log rows.
Row height - Compact (28px), Normal (36px), Comfortable (44px). Changing this re-renders the virtual list.
Show line numbers - shows the original file line number at the start of each row.
Show timestamps - shows the parsed timestamp in each row. When disabled, only the message is shown.
Show source tags - shows the detected source/service label (e.g. nginx, php).

Behavior

Auto-jump to first error on load - when enabled, LogSense automatically scrolls to and opens the first error entry after loading a file.
Group duplicates by default - whether deduplication is on when a new log is loaded.
Export format - the format used when clicking Export. Options: Markdown (default), JSON, Plain Text.

Demo

Click Load sample log to load a simulated 22-minute production database incident. It showcases all features: error storm, recovery, deduplication, root cause detection, timeline annotations, and stack traces.

Session Persistence

When you load a log, LogSense saves it to your browser's localStorage under the key logsense_session. If you refresh the page, your log is automatically restored - you don't need to re-upload the file.

Sessions expire after 7 days.
The maximum stored size is 4 MB of raw text. Files larger than this are processed normally but not persisted across refreshes.
To clear the session manually, click the LogSense logo (same as resetting the analysis) or use the New analysis (clear) command in the palette.

No data is sent anywhere - localStorage is stored entirely in your browser and never leaves your machine.

Export

Click Export in the top bar to download a report of the current analysis. The export includes:

The generated incident summary (if available)
The timeline of key events
Root cause and recommendations
Top errors and entry counts

Choose the format in Settings: Markdown (for sharing in GitHub issues, Confluence, Notion), JSON (for programmatic use), or Plain Text.

The export is a snapshot of the analysis, not the raw log. It does not export the full log content.

Limitations

Limitation	Details
Max file size	50 MB per file
Max processable size	~3 million characters per file. Beyond this, LogSense displays an error and asks you to split the file. Use `head -n 100000 bigfile.log > part1.log` to create chunks.
Session persistence	Up to 4 MB stored in localStorage. Larger logs are analyzed normally but won't survive a page refresh.
No timestamps	The Timeline Minimap requires parseable timestamps. If none are found, the minimap is hidden and entries are shown in file order.
Noise detection	Only applies to HTTP access logs. Has no effect on application logs.
Root cause detection	Rule-based pattern matching against a built-in library. It detects common infrastructure failure patterns well but may not recognize application-specific error codes.
Summary generation	Deterministic, not AI. Works best on logs with clear error/recovery patterns and parseable timestamps.
Binary / compressed files	Not supported. Decompress `.gz` files before uploading (`gunzip file.log.gz`).
Encoding	UTF-8 expected. Files with other encodings may show garbled characters but will still parse.

Privacy

LogSense is 100% client-side. There is no backend, no analytics, no telemetry, and no network requests made with your log data.

Your log files are read directly in the browser using the FileReader API.
All parsing, analysis, and rendering happens in JavaScript running in your tab.
The only external network request the app makes is loading the fonts from Google Fonts when the page first loads.
Session data is stored in your browser's localStorage and is never transmitted anywhere.

You can use LogSense safely on confidential production logs, internal infrastructure logs, or any data you would not want to send to a third-party service.