https://community.splunk.com/t5/Getting-Data-In/Making-splunk-act-like-tail-f-file/m-p/33088#M5907 <OL> <LI><P>Create a search that shows the events you're interested in, e.g., maybe it's just <CODE>source=/var/log/file.log</CODE>, or <CODE>source=*whatever.log | head 500</CODE>. The search should have a real-time time range.</P></LI> <LI><P>From the actions menu, select "Add to dashboard". Add the search to a new dashboard.</P></LI> <LI><P>Edit the dashboard's View XML, using the <A href="http://www.splunk.com/base/Documentation/latest/Developer/PanelReference#event3.">event</A> panel as a reference. You won't be able to remove the timestamp or change the spacing or typeface from here. Some things will require an edit of the CSS behind this view.</P></LI> <LI><P>If you prefer, use @Mackenzie's technique of picking out the _raw field and display the results with the <CODE>&lt;table&gt;</CODE> panel rather than the <CODE>&lt;event&gt;</CODE> panel. You can edit the prefs of this in the view XML as well.</P></LI> </OL> Thu, 23 Jun 2011 00:50:44 GMT gkanapathy 2011-06-23T00:50:44Z https://community.splunk.com/t5/Getting-Data-In/Making-splunk-act-like-tail-f-file/m-p/33086#M5905 <P>Hi,</P> <P>I'm trying to get Splunk to do the equivalent of a tail -f $file. Specifically what I'm trying to do is get the event output lines to be a lot more compressed and just show the raw text, no parsing, no field picker, no arrows, no splunk time stamps. I don't know how much of this is possible, but some of it might be.</P> <P>Thanks.</P> Wed, 22 Jun 2011 20:52:06 GMT https://community.splunk.com/t5/Getting-Data-In/Making-splunk-act-like-tail-f-file/m-p/33086#M5905 dpaper 2011-06-22T20:52:06Z https://community.splunk.com/t5/Getting-Data-In/Making-splunk-act-like-tail-f-file/m-p/33087#M5906 <P>A simple solution that may achieve what you want is:</P> <P>| fields _raw | eval event=_raw | table event</P> Mon, 28 Sep 2020 09:41:59 GMT https://community.splunk.com/t5/Getting-Data-In/Making-splunk-act-like-tail-f-file/m-p/33087#M5906 Mackenzie 2020-09-28T09:41:59Z https://community.splunk.com/t5/Getting-Data-In/Making-splunk-act-like-tail-f-file/m-p/33088#M5907 <OL> <LI><P>Create a search that shows the events you're interested in, e.g., maybe it's just <CODE>source=/var/log/file.log</CODE>, or <CODE>source=*whatever.log | head 500</CODE>. The search should have a real-time time range.</P></LI> <LI><P>From the actions menu, select "Add to dashboard". Add the search to a new dashboard.</P></LI> <LI><P>Edit the dashboard's View XML, using the <A href="http://www.splunk.com/base/Documentation/latest/Developer/PanelReference#event3.">event</A> panel as a reference. You won't be able to remove the timestamp or change the spacing or typeface from here. Some things will require an edit of the CSS behind this view.</P></LI> <LI><P>If you prefer, use @Mackenzie's technique of picking out the _raw field and display the results with the <CODE>&lt;table&gt;</CODE> panel rather than the <CODE>&lt;event&gt;</CODE> panel. You can edit the prefs of this in the view XML as well.</P></LI> </OL> Thu, 23 Jun 2011 00:50:44 GMT https://community.splunk.com/t5/Getting-Data-In/Making-splunk-act-like-tail-f-file/m-p/33088#M5907 gkanapathy 2011-06-23T00:50:44Z