Tail Queries
Tail queries run on near-real-time data after the data is indexed.
The query results display new incoming events that match the query criteria. Because of the nature of these queries, they never end; you must cancel or delete them manually.
You can query real-time data from the Advanced Search or the Data Grid widget, by using one of the following methods:
- Use the TAIL keyword in the query
- Select Real Time from the time filter list (only on the Advanced Search tab)
The streaming stops if you scroll up the page, and resumes when you scroll down to the end of the page.
You can use
LIMIT and
BUFFER statements in a tail query:
- LIMIT specifies the maximum number of results that must be displayed. The results are displayed in three pages. After retrieving more results, the same number of initial results are removed from the first page. Thus, if the limit is 50, only the latest 50 results fetched are displayed.
- BUFFER specifies the maximum streaming time to wait before returning results for the Tail query. You can use BUFFER with the TAIL keyword; not with the Real Time option from the time filter.
USE system |TAIL BUFFER 500 ms | LIMIT 50The example in the following screenshot uses Real Time from the time filter:
Limitations
Tail queries have the following restrictions:
- The results are always sorted by time.
- Filter options and the timeline chart view are not available.
- The options to download the results and to open search in a new tab are not available.
- The Tail keyword cannot be used in:
Copyright © Cloud Software Group, Inc. All rights reserved.