Analyze Gzip Log Files in Linux Without Extracting Them

Learn to read and analyze gzipped compressed log files on a Linux box without extracting them first with the help of the lesser known Z commands.

On Linux servers, logs are often compressed in gzip format to save disk space.

If you are investigating some issue and you have to deal with gzip compressed logs, the normal workflow is to extract the .gz log files first and then use cat, less, grep etc commands to read and analyze the logs.

Why? Unlike regular text files, where you can use the cat command to viewcontent of the file or use grep command on it or use less to read the content without flooding your screen, compressed files cannot be used with the same regular Linux commands.

The random text resut shown, while we try to view a gzipped log file using regular cat command
Viewing Gzip file with normal `cat` command

But extracting the compressed log files first and then analyzing them takes more time and disk space. You extract all the required files one by one, analyze them and then remove the extracted files when you don't need them anymore.

There is a better way. Use Z commands!

Dealing with Gzip compressed files without extracting them

Not many people are aware of the powerful 'Z commands' that work on the gzipped files without you needing to extract them first. They work directly on compressed files.

Actually, it does kind of extract it temporarily in /tmp, but that’s not the same as an actual extraction, is it?

These Z commands provide a β€˜Z’ equivalent to regular file manipulation commands.

So, you get:

  • zcat: cat to view compressed file
  • zgrep: grep to search inside the compressed file
  • zless for less, zmore for more: to view the file in pages
  • zdiff: diff to see the difference between two compressed files

Don't worry too much. You don't have to learn new command syntax. These Z commands work pretty much the same as their regular counterpart for the most popular options.

Let's see it in action.

Viewing compressed files with zcat

If you use the cat command, you can replace it with zcat. zcat is used in exactly the same manner as you use cat. For example:

zcat logfile.gz

This will display all the contents of logfile.gz without even extracting it.

You can use regular less and more commands with zcat to see the output in pages:

zcat logfile.gz | less
zcat logfile.gz | more

If you don’t know if the file is compressed (i.e., files without .gz extension), you can use zcat with option -f. This will display the content of the file irrespective of whether it is gzipped or not.

zcat -f logfile.gz
An SVG animation showing the wworking of zcat command
zcat command

Reading compressed files with zless and zmore

Same as less and more, you can use zless and zmore to read the content of the compressed files without decompressing the files. All the keyboard shortcuts of less and more work the same.

zless logfile.gz
zmore logfile.gz

Searching inside compressed files with zgrep

Grep is a hell of a powerful command and I think, one of the most used Linux commands. zgrep is the Z counterpart of grep that allows you to search inside gzipped compressed files without extracting them.

You can use it with all the regular grep options. For example:

zgrep -i keyword_search logfile.gz

Comparing compressed files with zdiff

While this might not be that useful on huge log files, you can use zdiff to see the difference between compressed files, in the same way as you use the diff command.

zdiff logfile1.gz logfile2.gz
An SVG animation showing the working of zdiff command
zdiff command

Speaking of diff, you may want to look at Meld GUI diff tool.

Summary

Command Use Example
zcat cat to view compressed file zcat <path_to_gzipped_log_file>
zgrep grep to search inside the compressed file zgrep -i <path_to-gzipped_log_file>
zless less to view the compressed file in pages zless <path_to_gzipped_log_file>
zmore more to view the compressed file in pages zmore <path_to_gzipped_log_file>
zdiff diff to see the difference between two compressed files zdiff <path_to_first> <path_to_second>

Now you know how to work with gzipped files. Check out more about the gzip command in Linux:

How to Use the gzip Command in Linux
gzip is one of the most useful but often overlooked utilities. Learn to use this handy tool.

Or perhaps you would want to learn about analyzing journal logs.

How to Use journalctl Command to Analyze Logs in Linux
Beginner’s guide to using journalctl commands for viewing, filtering and analyzing journal logs in Linux.

The Z commands are awesome! And I know that many people get their 'Eureka moment' when they first learn about it.

What about you? Did you find these z commands useful? The comment section is all yours.

About the author
Abhishek Prakash

Abhishek Prakash

Created It's FOSS 11 years ago to share my Linux adventures. Have a Master's degree in Engineering and years of IT industry experience. Huge fan of Agatha Christie detective mysteries πŸ•΅οΈβ€β™‚οΈ

Become a Better Linux User

With the FOSS Weekly Newsletter, you learn useful Linux tips, discover applications, explore new distros and stay updated with the latest from Linux world

It's FOSS

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to It's FOSS.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.