OpenSearch/docs/reference/eql/pipes.asciidoc

[role="xpack"]
[testenv="basic"]
[[eql-pipe-ref]]
== EQL pipe reference
++++
<titleabbrev>Pipe reference</titleabbrev>
++++

dev::[]

{es} supports the following EQL pipes:

* <<eql-pipe-head>>
* <<eql-pipe-tail>>

[discrete]
[[eql-pipe-head]]
=== `head`

Returns up to a specified number of events, starting with the earliest matching
events. Works similarly to the
https://en.wikipedia.org/wiki/Head_(Unix)[Unix head command].

[%collapsible]
====
*Example*

The following EQL query returns up to fifty of the earliest powershell
commands.

[source,eql]
----
process where process.name == "powershell.exe"
| head 50
----

*Syntax*
[source,txt]
----
head <max>
----

*Parameters*

`<max>`::
(Required, integer)
Maximum number of matching events to return.
====

[discrete]
[[eql-pipe-tail]]
=== `tail`

Returns up to a specified number of events, starting with the most recent
matching events. Works similarly to the
https://en.wikipedia.org/wiki/Tail_(Unix)[Unix tail command].

[%collapsible]
====
*Example*

The following EQL query returns up to thirty of the most recent `svchost.exe`
processes.

[source,eql]
----
process where process.name == "svchost.exe"
| tail 30
----

*Syntax*
[source,txt]
----
tail <max>
----

*Parameters*

`<max>`::
(Required, integer)
Maximum number of matching events to return.
====
[DOCS] EQL: Document `head` and `tail` pipes (#58673) (#58739) 2020-06-30 09:12:54 -04:00			`[role="xpack"]`
			`[testenv="basic"]`
			`[[eql-pipe-ref]]`
			`== EQL pipe reference`
			`++++`
			`<titleabbrev>Pipe reference</titleabbrev>`
			`++++`

			`dev::[]`

			`{es} supports the following EQL pipes:`

			`* <<eql-pipe-head>>`
			`* <<eql-pipe-tail>>`

			`[discrete]`
			`[[eql-pipe-head]]`
			=== `head`

			`Returns up to a specified number of events, starting with the earliest matching`
			`events. Works similarly to the`
			`https://en.wikipedia.org/wiki/Head_(Unix)[Unix head command].`

			`[%collapsible]`
			`====`
			`Example`

			`The following EQL query returns up to fifty of the earliest powershell`
			`commands.`

			`[source,eql]`
			`----`
			`process where process.name == "powershell.exe"`
			`\| head 50`
			`----`

			`Syntax`
			`[source,txt]`
			`----`
			`head <max>`
			`----`

			`Parameters`

			`<max>`::
			`(Required, integer)`
			`Maximum number of matching events to return.`
			`====`

			`[discrete]`
			`[[eql-pipe-tail]]`
			=== `tail`

			`Returns up to a specified number of events, starting with the most recent`
			`matching events. Works similarly to the`
			`https://en.wikipedia.org/wiki/Tail_(Unix)[Unix tail command].`

			`[%collapsible]`
			`====`
			`Example`

			The following EQL query returns up to thirty of the most recent `svchost.exe`
			`processes.`

			`[source,eql]`
			`----`
			`process where process.name == "svchost.exe"`
			`\| tail 30`
			`----`

			`Syntax`
			`[source,txt]`
			`----`
			`tail <max>`
			`----`

			`Parameters`

			`<max>`::
			`(Required, integer)`
			`Maximum number of matching events to return.`
			`====`