[role="xpack"]
[testenv="basic"]
[[eql-pipe-ref]]
== EQL pipe reference
++++
Pipe reference
++++
experimental::[]
{es} supports the following EQL pipes:
* <>
* <>
[discrete]
[[eql-pipe-head]]
=== `head`
Returns up to a specified number of events or sequences, starting with the
earliest matches. Works similarly to the
{wikipedia}/Head_(Unix)[Unix head command].
*Example*
The following EQL query returns up to three of the earliest powershell
commands.
[source,eql]
----
process where process.name == "powershell.exe"
| head 3
----
*Syntax*
[source,txt]
----
head
----
*Parameters*
``::
(Required, integer)
Maximum number of matching events or sequences to return.
[discrete]
[[eql-pipe-tail]]
=== `tail`
Returns up to a specified number of events or sequences, starting with the most
recent matches. Works similarly to the
{wikipedia}/Tail_(Unix)[Unix tail command].
*Example*
The following EQL query returns up to five of the most recent `svchost.exe`
processes.
[source,eql]
----
process where process.name == "svchost.exe"
| tail 5
----
*Syntax*
[source,txt]
----
tail
----
*Parameters*
``::
(Required, integer)
Maximum number of matching events or sequences to return.