head command examples
The following are examples for using the SPL2
To learn more about the
head command, see How the head command works.
1. Include the first non-matching event in the results
This example shows how the
keeplast argument works.
This example specifies to keep the last result that is evaluated, even when that result returns false for the
while clause. A maximum of 123 results are returned. The while clause looks for events where the
timestamp field value is greater than 2020 and the
error field value is equal to 1.2. When either of those conditions are not true, no further results are returned, except the last result evaluated.
...| head keeplast=true 123 while (timestamp>2020 AND error==1.2)
2. Returning results when data contains null values
This example shows how to specify a condition with a <boolean-expression> in the
This example returns up to 50 results even when a null value is encountered in the
...| head while (isnull(host) OR host="localhost") 50
3. Return results for a specific time span
This example returns results until the time span of the data is >= 100 seconds.
This example uses the
streamstats command to calculate a time range. Returns up to 10 results, which is the default number, or until the time span of the data is >= 100 seconds.
... | streamstats range(_time) AS timerange | head (timerange<100)
head command usage
into command overview
This documentation applies to the following versions of Splunk® Cloud Services: current