This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
« EQL function reference Example: Detect threats with EQL »
Elastic Docs Elasticsearch Guide [master] EQL search

EQL pipe reference

edit

EQL pipe reference

edit

Elasticsearch supports the following EQL pipes.

head

edit

Returns up to a specified number of events or sequences, starting with the earliest matches. Works similarly to the Unix head command.

Example

The following EQL query returns up to three of the earliest powershell commands.

process where process.name == "powershell.exe"
| head 3

Syntax

head <max>

Parameters

<max>
(Required, integer) Maximum number of matching events or sequences to return.

tail

edit

Returns up to a specified number of events or sequences, starting with the most recent matches. Works similarly to the Unix tail command.

Example

The following EQL query returns up to five of the most recent svchost.exe processes.

process where process.name == "svchost.exe"
| tail 5

Syntax

tail <max>

Parameters

<max>
(Required, integer) Maximum number of matching events or sequences to return.
« EQL function reference Example: Detect threats with EQL »