tail()

tail([n]) returns the last n rows from the input stream. n must be between 1 and 10,000 and defaults to 10.

When applied directly to a query filter, rows are ordered by timestamp (@scnr.datetime), and the last (newest) rows are returned.

When applied after another aggregation (for example, groupbycount ... | tail 3), the last rows in the order produced by that aggregation are returned.

If your query matches fewer than n rows, all matching rows are returned. The result may also be smaller than n rows if the total result size exceeds 128MB (or max_bytes if using the API). In either case, the returned rows are always the true last rows — no later rows are omitted.

See also: head(), which returns the first rows.

Returns

A table with up to n rows, preserving all original columns.

Examples

# Get the 10 most recent GuardDuty findings (default n)
%ingest.source_type: "aws:guardduty"
| tail

# Get the last 50 login events and count them by user
eventName: "ConsoleLogin"
| tail 50
| groupbycount userIdentity.arn

# Get the 3 least frequent users by login count
eventName: "ConsoleLogin"
| groupbycount userIdentity.arn
| tail 3

Previoustable()Nextvar()

Last updated 5 hours ago

Was this helpful?

Good night

hashtagReturns

hashtagExamples

Returns

Examples