EQL - Pipe reference - 《Elasticsearch v7.9 Reference》

EQL pipe reference
- head
- tail

EQL pipe reference

This functionality is experimental and may be changed or removed completely in a future release. Elastic will take a best effort approach to fix any issues, but experimental features are not subject to the support SLA of official GA features.

Elasticsearch supports the following EQL pipes.

`head`

Returns up to a specified number of events or sequences, starting with the earliest matches. Works similarly to the Unix head command).

Example

The following EQL query returns up to three of the earliest powershell commands.

process where process.name == "powershell.exe"
| head 3

Syntax

head <max>

Parameters

<max>

(Required, integer) Maximum number of matching events or sequences to return.

`tail`

Returns up to a specified number of events or sequences, starting with the most recent matches. Works similarly to the Unix tail command).

Example

The following EQL query returns up to five of the most recent svchost.exe processes.

process where process.name == "svchost.exe"
| tail 5

Syntax

tail <max>

Parameters

<max>

(Required, integer) Maximum number of matching events or sequences to return.