Splunk Cloud

Search Reference

Download manual as PDF

Download topic as PDF



Returns the first N number of specified results in search order. This means the most recent N events for a historical search, or the first N captured events for a realtime search. The search results are limited to the first results in search order.

There are two types of limits that can be applied: a quantity of results in absolute numbers, or an expression where all results are returned until the expression becomes false.

If no options or limits are explicitly stated, the head command will return the first 10 results.

If a numeric limit such as a numeric literal or the flag limit=int is used, the head command will return the first N results where N is the selected number. Using both numeric limit syntaxes will result in an error.

If an eval expression is used, all initial results are returned until the first result where the expression evaluates as false. In this case, no results will be returned. The result where the expression evaluates as false will be kept or dropped in accordance with the keeplast option.

If both a numeric limit and an eval expression are used, the smaller of the two constraints will apply. For example

... |head limit=10 (1==1)

will return up to the first 10 results, since the expression is always true. However,

... |head limit=10 (0==1)

will return no results, since the expression is always false.


head [<N> | (<eval-expression>)] [limit=<int>] [null=<bool>] [keeplast=<bool>]

Optional arguments

Syntax: <int>
Description: The number of results to return.
Syntax: limit=<int>
Description: Another way to specify the number of results to return.
Syntax: <eval-math-exp> | <eval-concat-exp> | <eval-compare-exp> | <eval-bool-exp> | <eval-function-call>
Description: A valid eval expression that evaluates to a Boolean. The search returns results until this expression evaluates to false. keeplast specifies whether to keep this terminal result. For more information, see the evaluation functions in the Search Reference.
Syntax: keeplast=<bool>
Description: Controls whether or not to keep the last result, which caused the eval expression to evaluate to false (or NULL).
Syntax: null=<bool>
Description: When using a boolean eval expression, this specifies how a null result should be treated. For example, if the eval expression is (x > 10) and the field x does not exist, the expression evaluates to NULL instead of true or false. Null=true means that the head command continues if it gets a null result, and null=false means the command stops if this occurs.
Default: false


Example 1:

Return the first 20 results.

... | head 20

Example 2:

Return events until the time span of the data is >= 100 seconds

... | streamstats range(_time) as timerange | head (timerange<100)

See also

reverse, tail


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the head command.


This documentation applies to the following versions of Splunk Cloud: 6.5.0, 6.5.1, 6.6.0, 6.5.1612, 6.6.1, 6.6.3, 7.0.0

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters