Grepline ships every log line off every host, container, and Lambda into one full-text index — then lets you grep all of it in real time. The regex that worked on one box now works across ten thousand. First result before you finish typing the pattern.
$ grep '5\d\d' service=checkout last=15m | stats count by host
scanning 1.2T lines across 9,840 hosts ............ 312ms
host status count Δ vs 1h
checkout-7f4 (ca-1) 503 1,204 ▲ 1,180
checkout-2b9 (ca-1) 503 118 ▲ 96
checkout-d31 (us-3) 200 — nominal
[pattern] all 503s carry trace_id + same build v4.18.2
[narrow] add | where build=v4.18.2 → 1,322 lines
[live] streaming new matches ......... ⏵ tailing
✓ saved as alert "checkout 5xx spike" · notify #oncallOn-call engineers grep here when prod gets loud
You already know how to find a line. Grepline just makes the haystack the whole fleet instead of one ssh session — fully indexed, always live, and fast enough to iterate on the pattern instead of waiting for it.
Every line is tokenized and indexed on arrival — no nightly rollup, no sampling that drops the one log you needed. A raw substring, a regex, a field filter, or a structured query all return the same way: in milliseconds, over the entire retention window. The pattern you'd run on a single file runs against a trillion lines and comes back before your cursor blinks.
Pipe matches into count, percentile, group-by, and rate without leaving the search bar. `| stats p99(latency) by route` works mid-incident — no export, no notebook, no waiting on a query job.
`tail -f` every matching host at once. New lines stream into the same query you're already reading — no refresh, no re-run.
Grepline collapses millions of near-identical lines into the handful of distinct shapes behind them, so a flood reads as five patterns, not five million rows.
Any search becomes a live alert. Match count crosses your threshold and it fires to Slack, PagerDuty, or a webhook — with the matching lines attached, not just a number.
What a real incident query looks like
A single binary tails everything a host emits and ships it structured, compressed, and back-pressured. No per-source config marathon, no log-shipping sidecar zoo — just one agent and one endpoint.
Files, journald, syslog, Docker, Kubernetes, and Lambda — auto-discovered. New containers start streaming the moment they boot, no manifest edits.
JSON, logfmt, and common access logs are field-extracted at the edge, so `status`, `latency`, and `trace_id` are queryable the instant they land.
Local disk buffering and adaptive back-pressure ride out network blips and ingest spikes. The agent degrades gracefully; it does not silently lose logs.
The whole query engine ships as a CLI. Pipe a live Grepline search into `grep`, `jq`, `awk`, or a dashboard — same results, no browser required.
Real questions on-call asks at 3 a.m., answered in one Grepline line instead of a war room.
`grep '5\d\d' last=30m | stats count by build` — the regression names the release before anyone opens the deploy log.
`field trace_id=9f31c2` returns every line that request touched, in order, across all hosts — one timeline, zero tab-switching.
`source=postgres | where duration>2s | stats count by query` surfaces the full-table scan the moment it starts hurting.
`source=vault action=read path~='secret/prod/*'` — a searchable, retained access trail, no SIEM project required.
`tail build=v4.19.0` streams matching lines as the new version reaches each host — promote or roll back on evidence.
`level=warn last=24h | stats count by pattern` ranks the loudest log lines so you fix the worst offenders, not the random ones.
“We used to fan out four engineers across four ssh sessions, each tailing a different box. Now one person greps the whole fleet from one bar and reads the answer out loud. Our 5xx incidents went from a war room to a one-liner.”
“The pattern clustering is the feature nobody believes until a flood hits. Two million error lines collapsed into five shapes, and four of them were the same null check. We shipped the fix before the alert even re-fired.”
“Our old log bill scaled with traffic, so we sampled — and of course we sampled away the exact lines we needed during the worst outage of the year. Grepline charges per host, so we index everything now and just grep it.”
Per-gigabyte log pricing makes you choose between visibility and your budget. We charge for the hosts you run, so you can index every line and never watch the meter mid-incident.
For side projects and a handful of boxes.
For teams that live on the page.
For regulated, multi-region, high-volume fleets.
Both, and that's the point. Every line is tokenized and indexed the moment it arrives, so a raw substring, a regex, or a structured field filter all return in milliseconds over the full retention window — not just over the last few minutes you happened to be tailing. You get grep's mental model with an index's speed across the entire fleet.
One agent. A single binary auto-discovers files, journald, syslog, Docker, Kubernetes, and Lambda, parses JSON and logfmt at the edge, and ships everything compressed and back-pressured to one endpoint. New containers start streaming the moment they boot — there's no per-source config to maintain and no shipping sidecar to babysit.
Because per-gigabyte pricing punishes you for the visibility you need most, exactly when you need it. Teams on usage-based plans sample logs to control cost and then lose the one line that mattered during an outage. We price per host so you can index every line from every box and your bill never spikes with your traffic.
Grepline's query language — grep semantics with a stats engine bolted on. Start with a pattern or a field filter, then pipe matches into count, group-by, percentiles, and rates: `grep timeout last=1h | stats p99(latency) by route`. It reads like the shell pipeline you'd already write, runs live across the whole fleet, and any LQL query can be saved as an alert or run from the CLI.
Median full-text queries return in roughly 300 milliseconds over a trillion indexed lines, and live tail streams new matches in real time. It's fast enough to iterate on the pattern interactively — narrow, widen, re-group — instead of submitting a query and waiting for a job to finish.
Yes. Run Grepline fully inside your VPC or in an isolated single-tenant cloud, point storage at your own S3, R2, or GCS bucket, and pin data residency by region. Logs are encrypted in transit and at rest, you can purge any stream on demand, and Enterprise adds SSO, SCIM, and full audit logs.
Drop one agent on one host and grep it in about five minutes. Free up to five boxes, no card, no sales call — keep it if the first query saves you a war room.