github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-06-29 01:44:36 -04:00
Code Issues Projects Releases Packages Wiki Activity
elasticsearch/docs/reference/query-languages/eql/eql-pipe-ref.md
Craig Taverner 94cad286bc
Restructure query-languages docs files for clarity (#124797) 
In a few previous PR's we restructured the ES|QL docs to make it possible to generate them dynamically.

This PR just moves a few files around to make the query languages docs easier to work with, and a little more organized like the ES|QL docs.

A bit part of this was setting up redirects to the new locations, so other repo's could correctly link to the elasticsearch docs.
2025-03-17 17:58:58 +01:00

1.3 KiB
Raw Blame History

navigation_title mapped_pages
Pipe reference
https://www.elastic.co/guide/en/elasticsearch/reference/current/eql-pipe-ref.html

EQL pipe reference [eql-pipe-ref]

{{es}} supports the following EQL pipes.

head [eql-pipe-head]

Returns up to a specified number of events or sequences, starting with the earliest matches. Works similarly to the Unix head command.

Example

The following EQL query returns up to three of the earliest powershell commands.

process where process.name == "powershell.exe"
| head 3

Syntax

head <max>

Parameters

<max>
(Required, integer) Maximum number of matching events or sequences to return.

tail [eql-pipe-tail]

Returns up to a specified number of events or sequences, starting with the most recent matches. Works similarly to the Unix tail command.

Example

The following EQL query returns up to five of the most recent svchost.exe processes.

process where process.name == "svchost.exe"
| tail 5

Syntax

tail <max>

Parameters

<max>
(Required, integer) Maximum number of matching events or sequences to return.