Retrieves the most recent events and returns a specified maximum
number of events. The tail() function sorts
events by either @timestamp or
@ingesttimestamp, depending on their
availability.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
limit[a] | number | optional[b] | 200 | The argument given to this parameter determines the limit on the number of events included in the result of the function. The default argument is default. The maximum is controlled by the StateRowLimit dynamic configuration, which is StateRowLimit by default. If the argument is max (limit=max), then the value of StateRowLimit is used. |
| Minimum | 1 | |||
[b] Optional parameters use their default value unless explicitly set. | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
limitcan be omitted; the following forms of this function are equivalent:logscale Syntaxtail("value")and:
logscale Syntaxtail(limit="value")These examples show basic structure only.
As default, the tail() function uses the
@timestamp field to select the most recent
events. If not available, the
@ingesttimestamp field is used instead.
If neither the @timestamp or @ingesttimestamp fields are available, the search will report the error: Expected events to have a @timestamp field for tail to work.
The maximum value of the limit parameter
can be adjusted using the
StateRowLimit
dynamic configuration.
tail() Syntax Examples
Select the 10 newest where
loglevel=ERROR:
loglevel=ERROR
| tail(10)Select the 100 latest events and group them by loglevel
tail(limit=100)
| groupBy(loglevel)Although the default is 200, if a number higher than this is specified, LogScale will attempt to return as many results up to that number. For example:
"GET /_images"
| tail(1000)
Will return up to 1000 events matching an HTTP GET request for
files in the _images
directory. If there are only 287 matching events, all 287 will
be returned.
tail() Examples
Click next to an example below to get the full details.
Deduplicate Content by Field
Deduplicating content based on a specific field
Query
groupBy(field, function=tail(1))Introduction
If you want to deduplicate events by a given field, for example to
identify a unique list of events for further processing, you can
use an aggregate function. In this example, the
groupBy() function is used with
tail() to use the last value in a sequence of
events.
Step-by-Step
Starting with the source repository events.
- logscale
groupBy(field, function=tail(1))Groups all events in a specific field, and reduces the results using
tail()to take only the last value. Event Result set.
Summary and Results
The query is used to deduplicate events by a given field. This is useful if you want to create a unique list of events for further processing.