Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

head

Description

Returns the first N number of specified results in search order. This means the most recent N events for a historical search, or the first N captured events for a real-time search. The search results are limited to the first results in search order.

There are two types of limits that can be applied: an absolute number of results, or an expression where all results are returned until the expression becomes false.

If no options or limits are explicitly stated, the head command returns the first 10 results.

If a numeric limit such as a numeric literal or the flag limit=int is used, the head command returns the first N results where N is the selected number. Using both numeric limit syntaxes results in an error.

If an eval expression is used, all initial results are returned until the first result where the expression evaluates as false. In this case, no results are returned. The result where the expression evaluates as false is kept or dropped in accordance with the keeplast option.

If both a numeric limit and an eval expression are used, the smaller of the two constraints applies. For example

... |head limit=10 (1==1)

returns up to the first 10 results, because the eval expression is always true. However,

... |head limit=10 (0==1)

returns no results, because the eval expression is always false.

Syntax

head [<N> | (<eval-expression>)] [limit=<int>] [null=<bool>] [keeplast=<bool>]

Required arguments

None.

If no options or limits are specified, the head command returns the first 10 results.

Optional arguments

<N>
Syntax: <int>
Description: The number of results to return.
Default: 10
limit
Syntax: limit=<int>
Description: Another way to specify the number of results to return.
Default: 10
eval-expression
Syntax: <eval-compare-exp> | <eval-bool-exp>
Description: A valid eval expression that evaluates to a Boolean. The search returns results until this expression evaluates to false. For more information, see the evaluation functions in the Search Reference.
keeplast
Syntax: keeplast=<bool>
Description: Use in conjunction with the eval-expression argument to determine whether the last result in the result set is retained. The last result returned is the result that caused the eval-expression to evaluate to false or NULL. Set keeplast to true to retain the last result in the result set. Set keeplast to false to discard the last result.
Default: true
null
Syntax: null=<bool>
Description: Use in conjunction with the eval-expression argument to specify how a NULL result is treated. For example, if the eval expression is (x > 10) and the field x does not exist, the expression evaluates to NULL instead of true or false. Set null to true to have the head command continue when it gets a NULL result. Set null to false to have the head command stop when it when it gets a NULL result.
Default: false

Examples

Example 1

Return the first 20 results.

... | head 20

Example 2

Return events until the time span of the data is >= 100 seconds

... | streamstats range(_time) as timerange | head (timerange<100)

See also

reverse, tail

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the head command.

PREVIOUS
geostats
  NEXT
highlight

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.1.0, 7.1.1, 7.1.2, 6.2.2, 6.2.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters