Many applications nowadays output json formatted log files so that they can be scraped by the newest hippest monitoring cluster (think of Splunk, Elastic Filebeat, etc). That is of course very nice and I applaud that kind of observability, but sometimes you are just on the machine fighting with a service that does not want to start, or you just want to monitor it a bit more realtime, or you just are not the browser type. Luckily there is a realatively easy trick to this:
Let’s say your logfile in /var/log/demoapp.log contains entries like:
{"@timestamp":"2026-02-18T08:56:39.391Z","log.level":"DEBUG",
"message":"Hello this is a debug message that you'd really like to see.",
"ecs.version": "1.2.0","service.name":"critical-app",
"service.version":"0.0.1-SNAPSHOT","service.environment":"acc",
"event.dataset":"ops-dataset","process.thread.name":"DefaultDispatcher-worker-2",
"log.logger":"com.rolfje.demoapp.DemoServer","device.id":"XYZ123"}
Then you can easily tail it in a readable form with stdbuf, jq and tsv, and highlight WARN and ERROR with grep:
tail -100F /var/log/demoapp.log \ | stdbuf -o0 jq -r '[."@timestamp", ."log.level", .message, .stack_trace] | @tsv' \ | cut -c 1-200 \ | grep -E --color=auto "^|WARN|ERROR"
This will output a single line per json object:
2026-02-18T08:56:39.391Z DEBUG Hello this is a debug message that you'd really like to see.
Bonus: You can add and trim fields in the jq arguments, for instance “(.”log.logger” // “”)[-10:]” adds the last 10 characters of the logger name if it exists.
Feel free to modify this or put it in a script.
Cheers!