Live Tail
This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk:
3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6
Live Tail
Live Tail for Splunk Web works just like tail -f (in Linux/Unix). Search for any text in data as it is indexed into Splunk. Live Tail streams data to the browser based on a simple text search.
Live Tail has a variety of uses. Some of the more common use cases are:
- Passive monitoring
- If you want to know the moment specific events occur in your environment.
- Troubleshooting
- Set up Live Tail to search for a particular type of event and set it to monitor your environment.
- Change your environment and monitor the effects in the Live Tail stream.
- For example, send an email and see whether it passes your spam filter.
Use Live Tail in Splunk Web
Live Tail launches in a new window (or new tab - depending on your browser configuration). The Live Tail processor takes the search terms you input (before they get piped to data processing commands), creates a search based on those, and streams search results to your browser.
To start Live Tail, select View in Live Tail menu item in the search bar drop-down menu.
The Live Tail interface
Overview of controls in the Live Tail window:
- The search box:
- Enter your search terms here.
- The green button:
- Clicking on the green button opens a new stream based on the search terms you entered in the search box.
- Each time you click on the green button, you launch a new stream based on your search terms.
- ctrl-c: Pressing ctrl-c terminates the current stream (just like with
tail -f in a Linux or Unix shell).
- Note: Currently,
ctrl-c is the only implemented tail -f Linux/Unix shell feature.
- Wrap results check box:
- Wraps the search results.
- Functions similarly to the the wrap results check box in the main window of Splunk Web.
- Pressing the Enter key anywhere outside the search box inserts a new line in the displayed stream.
- Use
ctrl + shift + b to pause or un-pause Live Tail.
- On a Mac, use
cmd + shift + b.
Start Live Tail from the Splunk CLI
- Log into Splunk.
./splunk login
- Use the
live-tail CLI command to start Live Tail.
- Type:
./splunk live-tail "your search string", where "your search string" is whatever simple search terms you want to search for (surrounded by quotes).
- There are REST endpoints on both
splunkd and SplunkWeb. Application developers are free to use these APIs to use the streams directly and bypass the client.
Current limitations
The following are the current limitations of Live Tail:
- You can only perform a simple text search while using Live Tail. You can't use any Splunk search commands or any data extractions in a search.
- If the client is overloaded by the volume of the data coming in to the processor, it will arbitrarily omit chunks of data. This means that with a very high volume of data, some events may never be displayed on screen for Live Tail.
- For a user to access Live Tail, the roles (in authorize.conf) must be configured properly (allow_livetail). By default, Live Tail will not work for the User role. It should work by default for users assigned to the Power or Admin role.