head command examples

The following are examples for using the SPL2 head command. To learn more about the head command, see How the head command works.

1. Include the first non-matching event in the results

This example shows how the keeplast argument works.

This example specifies to keep the last result that is evaluated, even when that result returns false for the while clause. A maximum of 123 results are returned. The while clause looks for events where the timestamp field value is greater than 2020 and the error field value is equal to 1.2. When either of those conditions are not true, no further results are returned, except the last result evaluated.

...| head keeplast=true 123 while (timestamp>2020 AND error==1.2)

2. Returning results when data contains null values

This example shows how to specify a condition with a <boolean-expression> in the while clause.

This example returns up to 50 results even when a null value is encountered in the host field.

...| head while (isnull(host) OR host="localhost") 50

3. Return results for a specific time span

This example returns results until the time span of the data is >= 100 seconds.

This example uses the streamstats command to calculate a time range. Returns up to 10 results, which is the default number, or until the time span of the data is >= 100 seconds.

... | streamstats range(_time) AS timerange | head (timerange<100)

Last modified on 20 August, 2021
