Retrieves the most recent events and returns a specified maximum
number of events. The tail() function sorts
events by either @timestamp or
@ingesttimestamp, depending on their
availability.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
limit[a] | number | optional[b] | The argument given to this parameter determines the limit on the number of events included in the result of the function. The default argument is default. The maximum is controlled by the StateRowLimit dynamic configuration, which is StateRowLimit by default. If the argument is max (limit=max), then the value of StateRowLimit is used. | |
| Minimum | 1 | |||
| Maximum | 20,000 | The default maximum limit is not static and can be changed by setting
the StateRowLimit
dynamic configuration. | ||
[b] Optional parameters use their default value unless explicitly set. | ||||
As default, the tail() function uses the
@timestamp field to select the most recent
events. If not available, the
@ingesttimestamp field is used instead.
If neither the @timestamp or @ingesttimestamp fields are available, the search will report the error: Expected events to have a @timestamp field for tail to work.
The maximum value of the limit parameter
can be adjusted using the
StateRowLimit
dynamic configuration.
tail() Syntax Examples
Select the 10 newest where
loglevel=ERROR:
loglevel=ERROR
| tail(10)Select the 100 latest events and group them by loglevel
tail(limit=100)
| groupBy(loglevel)Although the default is 200, if a number higher than this is specified, LogScale will attempt to return as many results up to that number. For example:
"GET /_images"
| tail(1000)
Will return up to 1000 events matching an HTTP GET request for
files in the _images
directory. If there are only 287 matching events, all 287 will
be returned.
tail() Examples
Click next to an example below to get the full details.
Deduplicate Content by Field
Deduplicating content based on a specific field