Returns the first N number of specified results in search order. This means the most recent N events for a historical search, or the first N captured events for a realtime search. The search results are limited to the first results in search order.
There are two types of limits that can be applied: a quantity of results in absolute numbers, or an expression where all results are returned until the expression becomes false.
If no options or limits are explicitly stated, the
head command will return the first 10 results.
If a numeric limit such as a numeric literal or the flag limit=int is used, the
head command will return the first N results where N is the selected number. Using both numeric limit syntaxes will result in an error.
eval expression is used, all initial results are returned until the first result where the expression evaluates as false. In this case, no results will be returned. The result where the expression evaluates as false will be kept or dropped in accordance with the
If both a numeric limit and an
eval expression are used, the smaller of the two constraints will apply. For example
... |head limit=10 (1==1)
will return up to the first 10 results, since the expression is always true. However,
... |head limit=10 (0==1)
will return no results, since the expression is always false.
head [<N> | (<eval-expression>)] [limit=<int>] [null=<bool>] [keeplast=<bool>]
- Syntax: <int>
- Description: The number of results to return.
- Syntax: limit=<int>
- Description: Another way to specify the number of results to return.
- Syntax: <eval-math-exp> | <eval-concat-exp> | <eval-compare-exp> | <eval-bool-exp> | <eval-function-call>
- Description: A valid eval expression that evaluates to a Boolean. The search returns results until this expression evaluates to false. keeplast specifies whether to keep this terminal result. For more information, see the evaluation functions in the Search Reference.
- Syntax: keeplast=<bool>
- Description: Controls whether or not to keep the last result, which caused the
evalexpression to evaluate to false (or NULL).
- Syntax: null=<bool>
- Description: When using a boolean
evalexpression, this specifies how a null result should be treated. For example, if the
(x > 10)and the field x does not exist, the expression evaluates to NULL instead of true or false.
Null=truemeans that the
headcommand continues if it gets a null result, and
null=falsemeans the command stops if this occurs.
- Default: false
Return the first 20 results.
... | head 20
Return events until the time span of the data is >= 100 seconds
... | streamstats range(_time) as timerange | head (timerange<100)
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the head command.
This documentation applies to the following versions of Splunk Cloud™: 6.5.0, 6.5.1, 6.5.1612, 6.6.0, 6.6.1, 6.6.3