Skip to main content
Sumo Logic

About Live Tail

Sumo Logic Live Tail allows developers and IT ops to see a real-time live feed of log events associated with a Source or Collector, which you can use as a tool for development and troubleshooting.

The Live Tail user interface mimics the output of the command line command tail -f with a solid black background and easy to read white text. It provides all log messages as they come in, with low latency. Because messages are displayed in Live Tail as they come in, they are not sorted as they are with Search.

Live Tail supports tailing logs ingested from Sources configured on Installed Collectors and Hosted Collectors with HTTP Sources. Data ingested from Sources configured on other Hosted Collectors, for example, Amazon S3, can’t be tailed.

You can start a Live Tail session using the following metadata categories:

  • _sourceHost
  • _sourceCategory
  • _sourceName
  • _source
  • _collector

Roles-Based Access Control permissions apply to all Live Tail queries.

live_tail_new.png

You can start a Live Tail session from the Live Tail page, or directly from the Search page, using the Live Tail link under the search box.

While the Live Tail is running, you can pause it, and scroll up and down to view the messages. You can also highlight up to eight keywords in order to make searching easier. Then when you are ready to resume scrolling, just click the arrow button, or simply click Jump to Bottom. You can view messages all the way back to the start of your session. There is no limit of line numbers.

To stop the Live Tail, click the Stop Live Tail menu item. Otherwise, your session will be stopped automatically in one hour.

Other Live Tail features include multiple Live Tail sessions, opening your Live Tail query in the Search page (or Show in Search), opening your Live Tail session in a new "pop-out" window, and changing the preferences of your Live Tail display, including line spacing, message text size, and message color.

Limitations

  • A Live Tail session will expire after one hour of inactivity. This is to provide the best performance possible. If a Live Tail session has expired, you can restart it at any time.
  • If you navigate away from the Live Tail tab, your session will run for an additional five minutes. After that, the Live Tail session will time out.
  • There is a message limit of about 1000 messages per second. Keyword filters do not affect the message rate.
  • There currently is a limit of 10 concurrent Live Tail sessions per organization.
  • There is a limit of four Live Tail sessions per user.
  • There is a limit of two Live Tail "pop out" windows per user.
  • Wildcards are supported in keywords, but not in the names of metadata fields.
  • Search operators are not supported in filters.
  • If too much data is coming in, messages may be skipped or not displayed on the screen, or there may be a lag before messages are displayed.
  • If the query you are using produces too many log message results, we may end the session, and present an error that prompts you to make your query more specific. This is to provide the best performance possible. If a Live Tail session has ended, you can restart it at any time.
  • Fields extracted via Field Extraction Rules are not available in Live Tail.
  • Windows Event Source logs and Windows Performance Source logs may not handle filters properly. Applying a filter may cause no data to appear in a Live Tail.