Splunk® Cloud Services

SPL2 Search Reference

head command examples

The following are examples for using the SPL2 head command. To learn more about the head command, see How the SPL2 head command works.

1. Include the first non-matching event in the results

This example shows how the keeplast argument works.

This example specifies to keep the last result that is evaluated, even when that result returns false for the while clause. A maximum of 123 results are returned. The while clause looks for events where the timestamp field value is greater than 2020 and the error field value is equal to 1.2. When either of those conditions are not true, no further results are returned, except the last result evaluated.

...| head keeplast=true 123 while (timestamp>2020 AND error==1.2)

2. Returning results when data contains null values

This example shows how to specify a condition with a <boolean-expression> in the while clause.

This example returns up to 50 results even when a null value is encountered in the host field.

...| head while (isnull(host) OR host="localhost") 50

3. Return results for a specific time span

This example returns results until the time span of the data is >= 100 seconds.

This example uses the streamstats command to calculate a time range. Returns up to 10 results, which is the default number, or until the time span of the data is >= 100 seconds.

... | streamstats range(_time) AS timerange | head (timerange<100)

See also

head command
head command overview
head command syntax details
head command usage
Last modified on 31 January, 2024
head command usage   into command overview

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters