[role="xpack"]
[testenv="basic"]
[[eql-pipe-ref]]
== EQL pipe reference
++++
Pipe reference
++++
dev::[]
{es} supports the following EQL pipes:
* <>
* <>
[discrete]
[[eql-pipe-head]]
=== `head`
Returns up to a specified number of events, starting with the earliest matching
events. Works similarly to the
https://en.wikipedia.org/wiki/Head_(Unix)[Unix head command].
[%collapsible]
====
*Example*
The following EQL query returns up to fifty of the earliest powershell
commands.
[source,eql]
----
process where process.name == "powershell.exe"
| head 50
----
*Syntax*
[source,txt]
----
head
----
*Parameters*
``::
(Required, integer)
Maximum number of matching events to return.
====
[discrete]
[[eql-pipe-tail]]
=== `tail`
Returns up to a specified number of events, starting with the most recent
matching events. Works similarly to the
https://en.wikipedia.org/wiki/Tail_(Unix)[Unix tail command].
[%collapsible]
====
*Example*
The following EQL query returns up to thirty of the most recent `svchost.exe`
processes.
[source,eql]
----
process where process.name == "svchost.exe"
| tail 30
----
*Syntax*
[source,txt]
----
tail
----
*Parameters*
``::
(Required, integer)
Maximum number of matching events to return.
====