Finds the newest events.
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
limit [a] | number | optional[b] | 200 | The maximum number of events included in results. |
Minimum | 1 | |||
Maximum | 20,000 | The default maximum limit is not static and can be changed by setting
the StateRowLimit
dynamic configuration. | ||
[b] Optional parameters use their default value unless explicitly set. |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
limit
can be omitted; the following forms of this function are equivalent:logscale Syntaxtail("value")
and:
logscale Syntaxtail(limit="value")
These examples show basic structure only.
The tail()
uses the @timestamp
to select the most recent events. If not available, the
@ingesttimestamp field is used instead.
If neither the @timestamp or @ingesttimestamp fields are available, the search will report the error: Expected events to have a @timestamp field for tail to work.
The maximum value of the limit
parameter can be
adjusted using the
StateRowLimit
dynamic
configuration.
tail()
Examples
Select the 10 newest where
loglevel=ERROR
:
loglevel=ERROR
| tail(10)
Select the 100 latest events and group them by loglevel
tail(limit=100)
| groupby(loglevel)
Although the default is 200, if a number higher than this is specified, LogScale will attempt to return as many results up to that number. For example:
"GET /_images"
| tail(1000)
Will return up to 1000 events matching an HTTP GET request for files in
the _images
directory. If there
are only 287 matching events, all 287 will be returned.