Tail Queries
Tail queries run on near-real-time data after the data is indexed.
The query results display new incoming events that match the query criteria. Because of the nature of these queries, they never end; you must cancel or delete them manually.
You can query real-time data from the Advanced Search or the Data Grid widget, by using any of the following methods:
- Use the TAIL keyword in the query
- Select Real Time from the time filter list (only on the Advanced Search tab)
Features of TAIL queries
- Real-time search results are appended to the results list. Navigate to the last page to view the latest results.
- Similar to other search queries, you can click Pause or Resume at the top of the results page to control the streaming of logs.
- Real-time streaming stops if you switch to another page or log out. However, it automatically resumes when you return to the search page or log in again.
- You can use
LIMIT and
BUFFER statements in a tail query:
- LIMIT specifies the maximum number of results that must be displayed. The results are displayed in three pages. After retrieving more results, the same number of initial results are removed from the first page. Thus, if the limit is 50, only the latest 50 results fetched are displayed.
- BUFFER specifies the maximum streaming time to wait before returning results for the Tail query. You can use BUFFER with the TAIL keyword; not with the Real Time option from the time filter.
Example of TAIL query
The example query that includes the
TAIL keyword:
USE system |TAIL BUFFER 500 ms | LIMIT 50In the following example, the time filter is set to Real Time:
Limitations
Tail queries have the following restrictions:
- The results are always sorted by time.
- Filter options and the timeline chart view are not available.
- The options to download the results and to open search in a new tab are not available.
- The Tail keyword cannot be used in:
Copyright © 2020. Cloud Software Group, Inc. All Rights Reserved.