82 lines
1.3 KiB
Plaintext
82 lines
1.3 KiB
Plaintext
[role="xpack"]
|
|
[testenv="basic"]
|
|
[[eql-pipe-ref]]
|
|
== EQL pipe reference
|
|
++++
|
|
<titleabbrev>Pipe reference</titleabbrev>
|
|
++++
|
|
|
|
dev::[]
|
|
|
|
{es} supports the following EQL pipes:
|
|
|
|
* <<eql-pipe-head>>
|
|
* <<eql-pipe-tail>>
|
|
|
|
[discrete]
|
|
[[eql-pipe-head]]
|
|
=== `head`
|
|
|
|
Returns up to a specified number of events, starting with the earliest matching
|
|
events. Works similarly to the
|
|
https://en.wikipedia.org/wiki/Head_(Unix)[Unix head command].
|
|
|
|
[%collapsible]
|
|
====
|
|
*Example*
|
|
|
|
The following EQL query returns up to fifty of the earliest powershell
|
|
commands.
|
|
|
|
[source,eql]
|
|
----
|
|
process where process.name == "powershell.exe"
|
|
| head 50
|
|
----
|
|
|
|
*Syntax*
|
|
[source,txt]
|
|
----
|
|
head <max>
|
|
----
|
|
|
|
*Parameters*
|
|
|
|
`<max>`::
|
|
(Required, integer)
|
|
Maximum number of matching events to return.
|
|
====
|
|
|
|
[discrete]
|
|
[[eql-pipe-tail]]
|
|
=== `tail`
|
|
|
|
Returns up to a specified number of events, starting with the most recent
|
|
matching events. Works similarly to the
|
|
https://en.wikipedia.org/wiki/Tail_(Unix)[Unix tail command].
|
|
|
|
[%collapsible]
|
|
====
|
|
*Example*
|
|
|
|
The following EQL query returns up to thirty of the most recent `svchost.exe`
|
|
processes.
|
|
|
|
[source,eql]
|
|
----
|
|
process where process.name == "svchost.exe"
|
|
| tail 30
|
|
----
|
|
|
|
*Syntax*
|
|
[source,txt]
|
|
----
|
|
tail <max>
|
|
----
|
|
|
|
*Parameters*
|
|
|
|
`<max>`::
|
|
(Required, integer)
|
|
Maximum number of matching events to return.
|
|
==== |