Live tail
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Live tail
Live tail for Splunk Web lets you watch data streaming into Splunk. Search for any text in data as it is indexed into Splunk. Live tail streams data to the browser based on a simple text search.
Live tail has a variety of uses. Some of the more common use cases are:
- Passive monitoring
- If you want to know the moment specific events occur in your environment.
- Troubleshooting
- Set up live tail to search for a particular type of event and set it to monitor your environment.
- Change your environment and monitor the effects in the live tail stream.
- For example, send an email and see whether it passes your spam filter.
Use live tail in Splunk Web
Live tail launches in a new window (or new tab - depending on your browser configuration). The live tail processor takes the search terms you input (before they get piped to data processing commands), creates a search based on those, and streams search results to your browser.
To start live tail, select View in live tail menu item in the search bar drop-down menu.
The live tail interface
Overview of controls in the live tail window:
- The search box:
- Enter your search terms here.
- The green button:
- Clicking on the green button opens a new stream based on the search terms you entered in the search box.
- Each time you click on the green button, you launch a new stream based on your search terms.
- ctrl-c: Pressing ctrl-c terminates the current stream (just like with
tail -fin a Linux or Unix shell).- Note: Currently,
ctrl-cis the only implementedtail -fLinux/Unix shell feature.
- Note: Currently,
- Wrap results check box:
- Wraps the search results.
- Functions similarly to the the wrap results check box in the main window of Splunk Web.
- Pressing the Enter key anywhere outside the search box inserts a new line in the displayed stream.
- Use
ctrl + shift + bto pause or un-pause live tail.- On a Mac, use
cmd + shift + b.
- On a Mac, use
Note: To increase the text size of live tail, increase your browser's text display size.
Start live tail from the Splunk CLI
- Log into Splunk.
./splunk login
- Use the
live-tailCLI command to start live tail.
- Type:
./splunk live-tail "your search string", where "your search string" is whatever simple search terms you want to search for (surrounded by quotes).
Current limitations
The following are the current limitations of live tail:
- You can only perform a simple text search while using live tail. You can't use any Splunk search commands or any data extractions in a search.
- If the client is overloaded by the volume of the data coming in to the processor, it will arbitrarily omit chunks of data. This means that with a very high volume of data, some events may never be displayed on screen for live tail.
- There are REST endpoints on both
splunkdand SplunkWeb. Application developers are free to use these APIs to use the streams directly and bypass the client.- To configure the REST endpoints, use restmaps.conf and streams.conf.
- LiveTail doesn't work in IE 6.
- LiveTail doesn't work in distributed search.
- By default, Livetail is only enabled for users assigned Admin and Power roles. To allow the User role access, the
allow_livetailcapability must be enabled in authorize.conf.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.