benwaffle/apple-logarchive
skills/apple-logarchive/SKILL.md
Query and analyze Apple .logarchive files using the macOS `log show` command
databases
Updated Apr 20, 2026
$ install --global
skillsauthnpx skillsauth add benwaffle/skills apple-logarchiveInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 20, 2026, 3:15 AM5.0s1 file scanned
SKILL.md
- name:
- apple-logarchive
- description:
- Query and analyze Apple .logarchive files using the macOS `log show` command
- user-invocable:
- true
Apple Log Archive Skill
You are an expert at analyzing macOS/iOS unified log archives (.logarchive bundles) using the /usr/bin/log command.
When to Use
Activate when the user wants to:
- Search, filter, or analyze a
.logarchivefile - Find errors, faults, or crashes in system logs
- Investigate a specific process, subsystem, or category in logs
- Understand what happened during a time window
- Count or summarize log activity
Step 1 — Locate the Archive
Ask the user for the path to their .logarchive if not already provided. Verify it exists:
ls <path>.logarchive/Info.plist
Step 2 — Determine Time Range
Get the first and last timestamps to understand the archive's span:
/usr/bin/log show --style ndjson --no-pager <archive> | head -1
/usr/bin/log show --style ndjson --no-pager <archive> | tail -1
Step 3 — Query the Archive
Use /usr/bin/log show with appropriate filters. Always pass --no-pager to prevent interactive mode.
Command Structure
/usr/bin/log show [options] <archive>
Key Options
| Option | Description |
|---|---|
| --predicate '<filter>' | Filter using NSPredicate or shorthand syntax |
| --style <format> | Output format: default, syslog, json, ndjson, compact |
| --start 'Y-M-D H:m:s' | Show events from this time |
| --end 'Y-M-D H:m:s' | Show events up to this time |
| --last <N>m\|h\|d | Show last N minutes/hours/days |
| --info | Include Info-level messages (excluded by default) |
| --debug | Include Debug-level messages (excluded by default) |
| --source | Annotate with source file and line number |
| --process <name\|pid> | Filter by process name or PID |
| --no-pager | Always use this — prevents interactive less |
Predicate Fields
| Field | Type | Description |
|---|---|---|
| process (shorthand: p) | string | Process name |
| processIdentifier (shorthand: pid) | integer | Process ID |
| subsystem (shorthand: s) | string | Subsystem (e.g. com.apple.xpc) |
| category (shorthand: c, cat) | string | Category within subsystem |
| composedMessage (shorthand: m) | string | Log message text |
| sender (shorthand: l, lib) | string | Library/sender name |
| logType | log type | default, info, debug, error, fault |
| type (shorthand only) | event type | default, info, debug, error, fault, loss, signpost |
| senderImagePath | string | Full path to sender library |
| processImagePath | string | Full path to process binary |
| threadIdentifier (shorthand: tid) | integer | Thread ID |
| eventType | string | logEvent, signpostEvent, stateEvent, activityCreateEvent, timesyncEvent, lossEvent |
Predicate Syntax — Shorthand (preferred for simple queries)
# By process
'p=Safari'
'p=foo|bar' # multiple processes (OR)
# By message content
'"error loading"' # message contains (field omitted = message)
'm:"timeout"' # explicit message contains
'm~/"regex pattern"' # regex match
# By subsystem/category
's=com.apple.xpc'
'c=connection'
# By log level
'type=error'
'type>=error' # error + fault
# Combined
'p=CommCenter AND type>=error'
'pid=100 AND "connection"'
's=com.apple.xpc AND c=connection AND type=error'
Predicate Syntax — NSPredicate (for complex queries)
'process == "Safari"'
'composedMessage CONTAINS "error"'
'subsystem == "com.apple.xpc" AND category == "connection"'
'logType == "fault" OR logType == "error"'
'composedMessage MATCHES ".*timeout.*"'
'processImagePath ENDSWITH "CommCenter"'
'eventType == "signpostEvent"'
Comparison Operators
| Operator | Description |
|---|---|
| ==, = | Equality |
| !=, <> | Inequality |
| CONTAINS, : | Contains substring |
| BEGINSWITH, :^ | Starts with |
| ENDSWITH | Ends with |
| LIKE | Wildcard match (? = 1 char, * = 0+ chars) |
| MATCHES, ~/ | Regex match |
| AND, OR, NOT | Logical operators |
Output Guidelines
- Use
--style ndjsonwhen you need to parse or count results programmatically (pipe towc -l,head,tail, etc.) - Use
--style default(or omit) for human-readable output to show the user - Use
--style compactfor a denser human-readable view - Always pipe through
head -Nfor initial exploration to avoid overwhelming output — logarchives can contain millions of entries - For counting:
/usr/bin/log show --no-pager --style ndjson --predicate '...' <archive> | wc -l
Common Workflows
Find all errors and faults
/usr/bin/log show --no-pager --predicate 'type>=error' <archive> | head -50
Investigate a specific process
/usr/bin/log show --no-pager --predicate 'p=SpringBoard' --info --debug <archive> | head -100
Search for a keyword in messages
/usr/bin/log show --no-pager --predicate '"crash"' <archive> | head -50
Logs from a specific subsystem during a time window
/usr/bin/log show --no-pager --start '2026-03-01 10:00:00' --end '2026-03-01 10:05:00' --predicate 's=com.apple.xpc' <archive>
Count events by type
/usr/bin/log show --no-pager --style ndjson --predicate 'type=error' <archive> | wc -l
/usr/bin/log show --no-pager --style ndjson --predicate 'type=fault' <archive> | wc -l
List unique processes in the archive
/usr/bin/log show --no-pager --style ndjson <archive> | head -1000 | python3 -c "import sys,json; procs=set(); [procs.add(json.loads(l).get('processImagePath','')) for l in sys.stdin]; print('\n'.join(sorted(procs)))"
Important Notes
- Always use
--no-pager— interactive pagers hang in non-interactive shells - Always pipe through
headon first query — archives can be enormous - By default only
DefaultandError/Faultlevel messages are shown; pass--infoand/or--debugto include lower-severity messages - Time format for
--start/--end:'Y-M-D H:m:s'or'Y-M-D' - Use shorthand predicates for simple queries; use NSPredicate syntax when you need
MATCHES,ENDSWITH,LIKE, or complex nesting - The
eventMessagefield in JSON output corresponds tocomposedMessagein predicates
Related Skills
benwaffle/slack-copy
tools
VerifiedTrustedCommunity
Put formatted content on the macOS clipboard so it renders correctly when pasted into a Slack message composer (bold/italic/lists via HTML, tables via TSV).
SKILL.mdUpdated May 24, 2026
benwaffle/slideshow
development
VerifiedTrustedCommunity
Generate self-contained HTML slideshows for technical concepts with diagrams, code highlighting, math, and charts
SKILL.mdUpdated Apr 20, 2026
benwaffle/claude-stats
tools
VerifiedTrustedCommunity
Generate an interactive HTML report of your Claude Code usage (sessions, messages, tokens, active days, streaks, peak times, model usage by day, top projects/tools) by parsing ~/.claude/projects/*.jsonl. Use when the user asks for their Claude stats, usage, activity, streaks, token breakdown, or wants to see how they use Claude over time.
SKILL.mdUpdated Apr 20, 2026
benwaffle/adb
development
VerifiedTrustedCommunity
Android Debug Bridge (ADB) assistant for inspecting, debugging, and managing Android devices
SKILL.mdUpdated Apr 20, 2026