# tail()

`tail([n])` returns the last `n` rows from the input stream. `n` must be between 1 and 10,000 and defaults to 10.

When applied directly to a query filter, rows are ordered by timestamp (`@scnr.datetime`), and the last (newest) rows are returned.

When applied after another aggregation (for example, `groupbycount ... | tail 3`), the last rows in the order produced by that aggregation are returned.

If your query matches fewer than `n` rows, all matching rows are returned. The result may also be smaller than `n` rows if the total result size exceeds 128MB (or `max_bytes` if using the [API](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/developer-tools/api/ad-hoc-queries)). In either case, the returned rows are always the true last rows — no later rows are omitted.

See also: [head()](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/aggregation-functions/head), which returns the first rows.

## Returns

A table with up to `n` rows, preserving all original columns.

## Examples

<pre class="language-python"><code class="lang-python"><strong># Get the 10 most recent GuardDuty findings (default n)
</strong><strong>%ingest.source_type: "aws:guardduty"
</strong>| tail

# Get the last 50 login events and count them by user
eventName: "ConsoleLogin"
| tail 50
| groupbycount userIdentity.arn

# Get the 3 least frequent users by login count
eventName: "ConsoleLogin"
| groupbycount userIdentity.arn
| tail 3
</code></pre>