TAIL Queries

Tail queries run on real-time data after the data is indexed.

The query results display new incoming events that match the query criteria. Because of the nature of these queries, they never finish; you must cancel or delete them manually.

You can query real-time data from the Advanced Search or the Data Grid widget, by using one of the following methods:
  • Use the | TAIL keyword in the query
  • Select Real Time from the time filter drop-down list (only in the Advanced Search tab)
As a result, the search results are appended to the results list and the page must be scrolled to view the latest results. Similar to other search queries, to stop running the query, you can click Stop at the top of the results page at any time.

The streaming stops if you scroll up the page, and resumes when you scroll down to the end of the page.

Tail queries have the following restrictions:

  • The results are always sorted by time.
  • TAIL queries cannot be used in infrastructure queries.
  • GROUP BY statement and aggregation functions are not supported with TAIL queries.
  • The TAIL keyword cannot be used in SQL queries. Instead, use the where clause to achieve the same results. For example:
    • EQL query: use LogLogic_Appliance | TAIL
    • SQL query: select * from LogLogic_Appliance WHERE sys_collectTime > NOW