Tail Search

Tail search results can be updated in near real time, so as to track the ongoing events and validate collection and normalization of new log sources.

Tail Search Specifications

Tail search results appear in the search history, and are enabled at the press of a button. The time frame of these tail search results is not a sliding window, but starts with the earliest time in the search criteria time range, and always ends with "now." For more information on configuring the search criteria time range, see Build a Query.

The refresh interval for a tail search varies depending on the time frame selected:

Time Range	Query	Refresh Interval
Within 2 hours	Between now and 2 hours ago	5 seconds
Within 24 hours	Between now and 24 hours ago	15 seconds
Above 24 hours	Between now and 36 hours ago	30 seconds

Enable Tail Search

On the left-side menu, click the Search icon.
The Search window appears.
Execute any search query.
The results grid appears.
Click the Resume auto-refresh icon in the middle-right of the search window.
Tail Search is enabled for the search grid & visualizations.

Tail search is automatically paused when the user navigates away from the search page, and resumes when they return. However, the search is not paused if the window is not the active window.

Disable Tail Search

On the Search page, execute any search query.
The results grid appears.
Click the Pause auto-refresh icon in the middle-right of the search window.
Tail Search is disabled for the search grid & visualizations.

Tail search is also disabled after five minutes of inactivity. A pop-up notification informs the user when tail search has timed out.