Live tail
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Live tail
Live tail lets you monitor data that is coming into Splunk in near real-time. See streaming search results; search for any text in data as soon as it is indexed into Splunk. Live tail streams data to your browser based on a simple text search.
You can use live tail for a lot of different things, for example:
- Passive monitoring
- You'll know when specific events occur.
- Troubleshooting
- Set up live tail to search for a particular type of event and set it to monitor your environment.
- Change your environment and monitor the effects in the live tail stream.
- For example, send an email and see whether it passes your spam filter.
Use live tail in Splunk Web
To start live tail, select the View in live tail menu item in the search bar drop-down menu.
Live tail launches in a new window (or new tab - depending on your browser configuration). The live tail processor takes the search terms you input in the search bar(before they are piped to data processing commands), creates a search based on them, and streams data to your browser that matches the search.
The live tail interface
The live tail interface is a separate window opened when you click View in live tail in the search bar drop-down menu. The controls available to you in the live tail window are listed here.
Live tail interface controls:
- Enter search terms in the live tail search bar.
- Click the green button to launch a new stream based on the search terms entered in the live tail search bar.
- Press ctrl-c to terminate the current stream (just like with
tail -fin a Linux or Unix shell). - Use the Wrap results check box to word-wrap the search results just like in Splunk Web.
- Press the Enter key anywhere outside the search box to insert a new line in the current stream.
- Press ctrl + shift + b to pause or un-pause live tail; On a Mac, use cmd + ctrl + b.
Start live tail from the CLI
Follow these steps to start live tail from the CLI:
1. Log into Splunk. ./splunk login
2. Use the live-tail CLI command to start live tail.
3. Type: ./splunk live-tail "your search string", where "your search string" is whatever simple search terms you want to search for (surrounded by quotes).
Current limitations
The following are current limitations of live tail:
- You can only perform a simple text search while using live tail. You can't use any Splunk search commands or any data extractions in a search.
- If the client is overloaded by the volume of the data coming in to the processor, it will arbitrarily omit chunks of data. This means that with a very high volume of data, some events may never be displayed on screen for live tail.
- If you are monitoring a large number of files, there may be a slight lag before data is displayed in the live tail window.
- User permissions must be configured properly to allow access to live tail. By default, live tail will not work for the User role. It should work by default for users assigned to the Power or Admin role.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.