74 lines
1.2 KiB
Plaintext
74 lines
1.2 KiB
Plaintext
[role="xpack"]
|
|
[testenv="basic"]
|
|
[[eql-pipe-ref]]
|
|
== EQL pipe reference
|
|
++++
|
|
<titleabbrev>Pipe reference</titleabbrev>
|
|
++++
|
|
|
|
experimental::[]
|
|
|
|
{es} supports the following <<eql-pipes,EQL pipes>>.
|
|
|
|
[discrete]
|
|
[[eql-pipe-head]]
|
|
=== `head`
|
|
|
|
Returns up to a specified number of events or sequences, starting with the
|
|
earliest matches. Works similarly to the
|
|
{wikipedia}/Head_(Unix)[Unix head command].
|
|
|
|
*Example*
|
|
|
|
The following EQL query returns up to three of the earliest powershell
|
|
commands.
|
|
|
|
[source,eql]
|
|
----
|
|
process where process.name == "powershell.exe"
|
|
| head 3
|
|
----
|
|
|
|
*Syntax*
|
|
[source,txt]
|
|
----
|
|
head <max>
|
|
----
|
|
|
|
*Parameters*
|
|
|
|
`<max>`::
|
|
(Required, integer)
|
|
Maximum number of matching events or sequences to return.
|
|
|
|
[discrete]
|
|
[[eql-pipe-tail]]
|
|
=== `tail`
|
|
|
|
Returns up to a specified number of events or sequences, starting with the most
|
|
recent matches. Works similarly to the
|
|
{wikipedia}/Tail_(Unix)[Unix tail command].
|
|
|
|
*Example*
|
|
|
|
The following EQL query returns up to five of the most recent `svchost.exe`
|
|
processes.
|
|
|
|
[source,eql]
|
|
----
|
|
process where process.name == "svchost.exe"
|
|
| tail 5
|
|
----
|
|
|
|
*Syntax*
|
|
[source,txt]
|
|
----
|
|
tail <max>
|
|
----
|
|
|
|
*Parameters*
|
|
|
|
`<max>`::
|
|
(Required, integer)
|
|
Maximum number of matching events or sequences to return.
|