Retrieves the oldest events first and returns a specified maximum number of events. The head() function sorts events by either @timestamp or @ingesttimestamp, depending on the selected query parameters. This function is equivalent to the command-line head tool.

ParameterTypeRequiredDefault ValueDescription
limit[a]numberoptional[b]   The argument given to this parameter determines the limit on the number of events included in the result of the function. The default argument is default. The maximum is controlled by the StateRowLimit dynamic configuration, which is StateRowLimit by default. If the argument is max (limit=max), then the value of StateRowLimit is used.
  Minimum0 
  Maximum20,000The default maximum limit is not static and can be changed by setting the StateRowLimit dynamic configuration.

[a] The parameter name limit can be omitted.

[b] Optional parameters use their default value unless explicitly set.

Hide omitted argument names for this function

Show omitted argument names for this function

The maximum value of the limit parameter can be adjusted using the StateRowLimit dynamic configuration.

Note

The head() function is often used with Sequence Query Functions, as these functions must be used after an aggregator function to ensure event ordering.

head() Syntax Examples

  • Select the 10 oldest with loglevel=ERROR

    logscale
    loglevel=ERROR
| head(10)

  • Select the 100 oldest events and group them by loglevel

    logscale
    head(limit=100)
| groupBy(loglevel)

head() Examples

Click + next to an example below to get the full details.

Calculate Running Average of Field Values

Calculate a running average of values in a dataset using the accumulate() function