mirror of
https://github.com/elastic/elasticsearch.git
synced 2025-06-28 17:34:17 -04:00
b7e3a1e14b
* delete asciidoc files
* add migrated files
* fix errors
* Disable docs tests
* Clarify release notes page titles
* Revert "Clarify release notes page titles"
This reverts commit 8be688648d.
* Comment out edternal URI images
* Clean up query languages landing pages, link to conceptual docs
* Add .md to url
* Fixes inference processor nesting.
---------
Co-authored-by: Liam Thompson <32779855+leemthompo@users.noreply.github.com>
Co-authored-by: Liam Thompson <leemthompo@gmail.com>
Co-authored-by: Martijn Laarman <Mpdreamz@gmail.com>
Co-authored-by: István Zoltán Szabó <szabosteve@gmail.com>
1.3 KiB
1.3 KiB
| navigation_title | mapped_pages | |
|---|---|---|
| Pipe reference |
|
EQL pipe reference [eql-pipe-ref]
{{es}} supports the following EQL pipes.
head [eql-pipe-head]
Returns up to a specified number of events or sequences, starting with the earliest matches. Works similarly to the Unix head command.
Example
The following EQL query returns up to three of the earliest powershell commands.
process where process.name == "powershell.exe"
| head 3
Syntax
head <max>
Parameters
<max>- (Required, integer) Maximum number of matching events or sequences to return.
tail [eql-pipe-tail]
Returns up to a specified number of events or sequences, starting with the most recent matches. Works similarly to the Unix tail command.
Example
The following EQL query returns up to five of the most recent svchost.exe processes.
process where process.name == "svchost.exe"
| tail 5
Syntax
tail <max>
Parameters
<max>- (Required, integer) Maximum number of matching events or sequences to return.