• About this manual
  • What's in this guide?
• About Splunk
  • About Splunk
  • About Splunk licenses
    • Which license?
    • Install your license
    • License violations
• Tutorial
  • About this tutorial
    • Requirements
    • Log in
    • Splunk Web
    • Command line interface (CLI)
  • Simple searches
    • Index data
    • Search
    • Narrow your search
    • Use the timeline
  • Search results
    • Events and fields
    • Filter on fields
    • Define custom fields
    • Tag fields
    • Collect snapshots
  • Event types
    • Find similar events
    • Save as event type
    • Search for an event type
    • Tag an event type
    • Automated event type discovery
  • Save options
    • Save a search
    • Schedule the search
    • Schedule an alert
  • Reports
    • Report on results
    • Report on fields
    • Build new reports
    • Pick different charts
    • Add a report to your dashboard
  • More searches
    • Report
    • Transform
    • Re-order
    • Filter
    • Evaluate
    • Add a comparison
    • Use subsearches
  • CLI searches
• Use the Splunk Command Line Interface (CLI)
  • The Splunk CLI
    • Access help in the CLI
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
    • Start live tail
  • Search in the CLI
    • CLI Search syntax
    • Asynchronous searches (dispatch CLI command)
    • CLI search parameters
• Use form search
  • Form search
    • Run a form search
• Use Live Tail
  • Live tail
    • Use live tail in Splunk Web
    • The live tail interface
    • Start live tail from the CLI
    • Current limitations
• Use transaction search
  • Transactions
    • Useful transactions
    • The transaction command
    • Example transaction searches
    • Transactions and macro search
    • When to not use transactions
• Use tagging
  • About tags
    • Search for events containing tags
    • Configure tags
    • Configure roles for tagging
• Use reporting
  • Chart gallery
    • Column (or bar) chart
    • Stacked column (or bar) chart
    • Line chart
    • Area chart
    • Stacked area chart
    • Scatter plot
    • Pie graph
    • Doughnut graph
    • Bubble graph
    • Heat map
  • Examples of useful reports
    • Internal Splunk log data
    • System monitoring data
    • Web access data
    • Web application data
    • Firewall (or connection) activity
    • Email activity or email transactions
    • Transaction data
• Search reference
  • Splunk search
    • Generate search results
    • Construct searches
    • Form searches
    • Macro searches
    • Transactions
    • Live tail
    • Save and schedule searches
    • Asynchronous searches
    • CLI searches
    • Tune search performance
  • Search syntax
    • Keyword search
    • Literals ("quotes")
    • Wildcards
    • Punctuation marks
    • Boolean operators
    • Comparison operators
  • Search pipeline syntax
    • Search pipeline syntax
    • Subsearch syntax
• Field reference
  • Fields
    • Use fields in Splunk Web
    • Field syntax
    • Field naming
    • Multi-value fields
  • Field list
    • _index
    • _raw
    • _time
    • date_hour
    • date_mday
    • date_minute
    • date_month
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • host
    • linecount
    • punct
    • source
    • sourcetype
    • timestamp
• Modifier reference
  • Modifiers
    • Modifier syntax
    • Modifier precedence
  • Search modifiers
    • eventtypetag
    • hosttag
    • savedsearch
    • tag
  • Time modifiers
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hoursago
    • minutesago
    • monthsago
    • searchtimespandays
    • searchtimespanhours
    • searchtimespanminutes
    • searchtimespanmonths
    • startdaysago
    • starthoursago
    • startminutesago
    • startmonthsago
    • starttime
    • starttimeeu
    • timeformat
• Search command reference
  • Search commands
    • Commands that support multi-value fields
    • Conventions used in the search reference
    • Command index
  • Data-generating commands
    • file
    • savedsearch
    • search
  • Filter and re-order
    • dedup
    • head
    • localize
    • regex
    • reverse
    • set
    • sort
    • tail
    • where
  • Transforming and reporting commands
    • associate
    • chart
    • cluster
    • contingency
    • correlate
    • diff
    • format
    • highlight
    • rare
    • stats
    • strcat
    • timechart
    • top
    • transaction
    • typelearner
    • xmlunescape
  • Evaluate
    • abstract
    • addtotals
    • anomalousvalue
    • bucket
    • convert
    • eval
    • fields
    • fillnull
    • kmeans
    • outlier
    • rename
    • replace
  • Extracting commands
    • extract
    • iplocation
    • multikv
    • rex
    • typer
    • xmlkv
  • Administrative commands
    • admin
    • audit
    • run
• CLI command reference
  • Splunk Command Line Interface (CLI)
    • CLI commands
    • auth and uri parameters
    • Note for Mac users

Live tail

Live tail lets you monitor data that is coming into Splunk in near real-time. See streaming search results; search for any text in data as soon as it is indexed into Splunk. Live tail streams data to your browser based on a simple text search.

You can use live tail for a lot of different things, for example:

• Passive monitoring
  • You'll know when specific events occur.
• Troubleshooting
  • Set up live tail to search for a particular type of event and set it to monitor your environment.
  • Change your environment and monitor the effects in the live tail stream.
  • For example, send an email and see whether it passes your spam filter.

Use live tail in Splunk Web

To start live tail, select the View in live tail menu item in the search bar drop-down menu.

Live tail launches in a new window (or new tab - depending on your browser configuration). The live tail processor takes the search terms you input in the search bar(before they are piped to data processing commands), creates a search based on them, and streams data to your browser that matches the search.

The live tail interface

The live tail interface is a separate window opened when you click View in live tail in the search bar drop-down menu. The controls available to you in the live tail window are listed here.
Live tail interface controls:

• Enter search terms in the live tail search bar.
• Click the green button to launch a new stream based on the search terms entered in the live tail search bar.
• Press ctrl-c to terminate the current stream (just like with tail -f in a Linux or Unix shell).
• Use the Wrap results check box to word-wrap the search results just like in Splunk Web.
• Press the Enter key anywhere outside the search box to insert a new line in the current stream.
• Press ctrl + shift + b to pause or un-pause live tail.
  • On a Mac, use cmd + ctrl + b.

Start live tail from the CLI

1. Log into Splunk. ./splunk login
2. Use the live-tail CLI command to start live tail.
3. Type: ./splunk live-tail "your search string", where "your search string" is whatever simple search terms you want to search for (surrounded by quotes).

Current limitations

The following are current limitations of live tail:

• You can only perform a simple text search while using live tail. You can't use any Splunk search commands or any data extractions in a search.
• If the client is overloaded by the volume of the data coming in to the processor, it will arbitrarily omit chunks of data. This means that with a very high volume of data, some events may never be displayed on screen for live tail.
• If you are monitoring a large number of files, there may be a slight lag before data is displayed in the live tail window.
• User permissions must be configured properly to allow access to live tail. By default, live tail will not work for the User role. It should work by default for users assigned to the Power or Admin role.