EQL pipe reference

Pipe reference

{es} supports the following EQL pipes.

`head`

Returns up to a specified number of events or sequences, starting with the earliest matches. Works similarly to the {wikipedia}/Head_(Unix)[Unix head command].

Example

The following EQL query returns up to three of the earliest powershell commands.

process where process.name == "powershell.exe"
| head 3

Syntax

head <max>

Parameters

<max>: (Required, integer) Maximum number of matching events or sequences to return.

`tail`

Returns up to a specified number of events or sequences, starting with the most recent matches. Works similarly to the {wikipedia}/Tail_(Unix)[Unix tail command].

Example

The following EQL query returns up to five of the most recent svchost.exe processes.

process where process.name == "svchost.exe"
| tail 5

Syntax

tail <max>

Parameters

<max>: (Required, integer) Maximum number of matching events or sequences to return.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Files

pipes.asciidoc

pipes.asciidoc

EQL pipe reference

`head`

`tail`

Files

pipes.asciidoc

Latest commit

History

pipes.asciidoc

File metadata and controls

EQL pipe reference

head

tail

`head`

`tail`