83 lines
1.3 KiB
Plaintext
83 lines
1.3 KiB
Plaintext
[role="xpack"]
|
|
[testenv="basic"]
|
|
[[eql-pipe-ref]]
|
|
== EQL pipe reference
|
|
++++
|
|
<titleabbrev>Pipe reference</titleabbrev>
|
|
++++
|
|
|
|
experimental::[]
|
|
|
|
{es} supports the following EQL pipes:
|
|
|
|
* <<eql-pipe-head>>
|
|
* <<eql-pipe-tail>>
|
|
|
|
[discrete]
|
|
[[eql-pipe-head]]
|
|
=== `head`
|
|
|
|
Returns up to a specified number of events or sequences, starting with the
|
|
earliest matches. Works similarly to the
|
|
https://en.wikipedia.org/wiki/Head_(Unix)[Unix head command].
|
|
|
|
[%collapsible]
|
|
====
|
|
*Example*
|
|
|
|
The following EQL query returns up to three of the earliest powershell
|
|
commands.
|
|
|
|
[source,eql]
|
|
----
|
|
process where process.name == "powershell.exe"
|
|
| head 3
|
|
----
|
|
|
|
*Syntax*
|
|
[source,txt]
|
|
----
|
|
head <max>
|
|
----
|
|
|
|
*Parameters*
|
|
|
|
`<max>`::
|
|
(Required, integer)
|
|
Maximum number of matching events or sequences to return.
|
|
====
|
|
|
|
[discrete]
|
|
[[eql-pipe-tail]]
|
|
=== `tail`
|
|
|
|
Returns up to a specified number of events or sequences, starting with the most
|
|
recent matches. Works similarly to the
|
|
https://en.wikipedia.org/wiki/Tail_(Unix)[Unix tail command].
|
|
|
|
[%collapsible]
|
|
====
|
|
*Example*
|
|
|
|
The following EQL query returns up to five of the most recent `svchost.exe`
|
|
processes.
|
|
|
|
[source,eql]
|
|
----
|
|
process where process.name == "svchost.exe"
|
|
| tail 5
|
|
----
|
|
|
|
*Syntax*
|
|
[source,txt]
|
|
----
|
|
tail <max>
|
|
----
|
|
|
|
*Parameters*
|
|
|
|
`<max>`::
|
|
(Required, integer)
|
|
Maximum number of matching events or sequences to return.
|
|
====
|