Use Live Tail to see a real-time feed of log events associated with a Source or Collector. These live feeds can help you with development and troubleshooting.
Live Tail mimics the output of the command line command
tail -f with a solid black background and easy to read white text. You can see all log messages as they come in, with low latency, but they are not sorted as they are with Search.
You can tail logs ingested from Sources configured on Installed Collectors and Hosted Collectors with HTTP Sources.
You can start a Live Tail session using the following metadata categories:
Roles-Based Access Control permissions apply to all Live Tail queries.
The following image shows a Live Tail session for
You can start a Live Tail session by clicking the plus icon and selecting Live Tail or directly from the Search page, using the Live Tail link under the search box.
While the Live Tail is running, you can pause it, and scroll up and down to view the messages. You can also highlight up to eight keywords in order to make searching easier. Then when you are ready to resume scrolling, just click the arrow button, or simply click Jump to Bottom. You can view messages all the way back to the start of your session. There is no limit of line numbers.
To stop Live Tail, click the Stop Live Tail menu item. Or, your session will be stopped automatically in one hour.
Other Live Tail features include multiple Live Tail sessions, opening your Live Tail query in the Search page (or Show in Search), opening your Live Tail session in a new "pop-out" window, and changing the preferences of your Live Tail display, including line spacing, message text size, and message color.
- A Live Tail session expires after one hour of inactivity to give your system the best performance possible. If your Live Tail session expires, you can restart it at any time.
- If you navigate away from the Live Tail tab, your session will run for five more minutes and then time out.
- There is a message limit of about 1000 messages per second. Keyword filters do not affect the message rate.
- There currently is a limit of 10 concurrent Live Tail sessions per organization.
- There is a limit of four Live Tail sessions per user.
- There is a limit of two Live Tail "pop out" windows per user.
- _view and _index are not supported in Live Tail queries.
- Wildcards are supported in keywords and at the beginning/end of metadata fields. For example:
- Allowed: _sourceCategory=*/apache or _sourceCategory=prod/*
- Not allowed: _sourceCategory=prod/*/apache/
- Search operators are not supported in filters.
- If too much data is coming in, messages may be skipped or not displayed on the screen, or there may be a lag before messages are displayed.
- If the query you are using produces too many log message results, we may end the session, and present an error that prompts you to make your query more specific. This is to provide the best performance possible. If a Live Tail session has ended, you can restart it at any time.
- Fields extracted from Field Extraction Rules are not available in Live Tail.
- Windows Event Source logs and Windows Performance Source logs may not handle filters properly. Applying a filter may cause no data to appear in a Live Tail.