Skip to main content
Sumo Logic

Filter Live Tail

To find specific logs, you can filter with keywords. You may use keywords after providing at least one metadata field to the Live Tail query and click Run or press Enter.

The search is rerun with the new keyword filter and added to incoming messages only. The screen clears, and new results automatically scroll.

You can start a Live Tail session using the following metadata categories:

  • _sourceCategory
  • _sourceHost
  • _sourceName
  • _source
  • _collector

In filters, you can use quotes to find a specific phrase, but otherwise the AND operator is implicit, meaning you do not need to type AND when entering multiple terms. Note that keyword searches are case-insensitive.

Filter Live Tail

  1. After your Source Category, Source Host, Source Name, Source, or Collector, enter the keyword you’d like to filter for. For example, enter "OS Process Data".  Use quotes to find a specific phrase, otherwise the AND operator is implicit.
  2. Click Run or press Enter.

The Run button changes to Running, the new query runs, and the screen automatically scrolls with the results.


In this example, we've started a Live Tail on the Source Host nite-index-1.


Screen Shot 2017-06-12 at 1.17.52 PM.png

Next, we added a Source Category filter to the query. Here we're looking for the Source Category called "search".

_sourceHost=nite-index-1 _sourceCategory=search

Screen Shot 2017-06-12 at 1.18.56 PM.png

In this example, we'll add some more keywords to the query, and a wildcard to a keyword.

_sourceHost=nite-index-1 (error or fail* or exception)

Screen Shot 2017-06-12 at 1.19.43 PM.png

In a different example, we're looking for a different Source Host, Source Category, and filtered for log messages that don't include the keyword "info". This way, we know we're getting all of our warnings and errors.

_sourceHost=nite-cqsplitter-1 _sourceCategory=cqsplitter !info

Screen Shot 2017-06-12 at 1.21.00 PM.png