Finds the newest events.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
limit[a] | number | optional[b] | 200 | The maximum number of events included in results. |
| Minimum | 1 | |||
| Maximum | 20,000 | The default maximum limit is not static and can be changed by setting
the StateRowLimit
dynamic configuration. | ||
[b] Optional parameters use their default value unless explicitly set. | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
limitcan be omitted; the following forms of this function are equivalent:logscale Syntaxtail("value")and:
logscale Syntaxtail(limit="value")These examples show basic structure only.
The tail() uses the @timestamp
to select the most recent events. If not available, the
@ingesttimestamp field is used instead.
If neither the @timestamp or @ingesttimestamp fields are available, the search will report the error: Expected events to have a @timestamp field for tail to work.
The maximum value of the limit parameter can be
adjusted using the
StateRowLimit dynamic
configuration.
tail() Examples
Select the 10 newest where
loglevel=ERROR:
loglevel=ERROR
| tail(10)Select the 100 latest events and group them by loglevel
tail(limit=100)
| groupby(loglevel)Although the default is 200, if a number higher than this is specified, LogScale will attempt to return as many results up to that number. For example:
"GET /_images"
| tail(1000)
Will return up to 1000 events matching an HTTP GET request for files in
the _images directory. If there
are only 287 matching events, all 287 will be returned.