nano SIEM
Search Commands

tail

tail

Return the last N results from your search.

Description

The tail command limits results to the last N events or rows. This is useful for examining the most recent data, getting the bottom of sorted results, or focusing on the end of a time range.

When used without other commands, tail returns the last N raw events. When used after aggregations or sorting, it returns the last N aggregated rows.

Syntax

... | tail [<count>]

Optional Arguments

count
Syntax: <int> or count=<int>
Description: Number of results to return
Default: 10

Examples

Get last 10 results (default)

* | tail

Returns the last 10 events.

Get last 20 results

* | tail 20

Returns the last 20 events.

Most recent events

* | tail 100

Gets the 100 most recent events (assuming chronological order).

Bottom N after sorting

* | stats count() by user
  | sort -count
  | tail 10

Shows the 10 users with the fewest events.

Least common values

* | stats count() by dest_port
  | sort -count
  | tail 5

Shows the 5 least common destination ports.

Oldest events in range

* | sort timestamp
  | tail 50

Gets the 50 oldest events in the time range.

Slowest endpoints (bottom of sorted list)

* | stats avg(response_time) as avg_time by endpoint
  | sort avg_time
  | tail 5

Shows the 5 fastest endpoints (bottom of ascending sort).

Last entries after dedup

* | dedup user
  | tail 20

Gets last 20 unique users encountered.

Recent activity per user

* | sort timestamp
  | tail 1000
  | stats count() by user

Analyzes activity from the most recent 1000 events.

End of time series

* | bin span=1h
  | stats count() by time_bucket
  | sort time_bucket
  | tail 24

Shows the last 24 hours of hourly data.

Least active IPs

* | stats count() as events by src_ip
  | sort -events
  | tail 10

Shows the 10 least active source IPs.

Bottom percentile

* | stats avg(response_time) as avg_time by endpoint
  | sort -avg_time
  | tail 5

Shows the 5 endpoints with the lowest average response time.

Usage Notes

Default behavior: Without a count argument, tail returns 10 results.

Order dependency: Results depend on the order they arrive. Use sort before tail to ensure consistent results.

Performance: tail requires processing all results to determine which are last, so it's less efficient than head on large datasets.

Chronological data: On raw events without sorting, tail typically returns the most recent events if data is stored chronologically.

Opposite of head: tail is the complement to head. Use head for top N, tail for bottom N.

Sampling: Like head, tail is useful for sampling, but may not represent the full dataset.

  • head - Get first N results
  • sort - Order results before limiting
  • rare - Automatically get least common values
  • table - Select specific fields to display

table

Previous Page

timechart

Next Page

Edit this page on GitHub
On this page

On this page

tail
Description
Syntax
Optional Arguments
Examples
Get last 10 results (default)
Get last 20 results
Most recent events
Bottom N after sorting
Least common values
Oldest events in range
Slowest endpoints (bottom of sorted list)
Last entries after dedup
Recent activity per user
End of time series
Least active IPs
Bottom percentile
Usage Notes
Related Commands