elasticsearch/docs/reference/eql/pipes.asciidoc

[role="xpack"]
[testenv="basic"]
[[eql-pipe-ref]]
== EQL pipe reference
++++
<titleabbrev>Pipe reference</titleabbrev>
++++

{es} supports the following <<eql-pipes,EQL pipes>>.

[discrete]
[[eql-pipe-head]]
=== `head`

Returns up to a specified number of events or sequences, starting with the
earliest matches. Works similarly to the
{wikipedia}/Head_(Unix)[Unix head command].

*Example*

The following EQL query returns up to three of the earliest powershell
commands.

[source,eql]
----
process where process.name == "powershell.exe"
| head 3
----

*Syntax*
[source,txt]
----
head <max>
----

*Parameters*

`<max>`::
(Required, integer)
Maximum number of matching events or sequences to return.

[discrete]
[[eql-pipe-tail]]
=== `tail`

Returns up to a specified number of events or sequences, starting with the most
recent matches. Works similarly to the
{wikipedia}/Tail_(Unix)[Unix tail command].

*Example*

The following EQL query returns up to five of the most recent `svchost.exe`
processes.

[source,eql]
----
process where process.name == "svchost.exe"
| tail 5
----

*Syntax*
[source,txt]
----
tail <max>
----

*Parameters*

`<max>`::
(Required, integer)
Maximum number of matching events or sequences to return.