Retrieves the oldest events first and returns a specified
maximum number of events. The head()
function sorts events by either @timestamp
or @ingesttimestamp, depending on the
selected query parameters. This function is equivalent to the
command-line head tool.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
limit[a] | number | optional[b] | 200 | The argument given to this parameter determines the limit on the number of events included in the result of the function. The default argument is default. The maximum is controlled by the StateRowLimit dynamic configuration, which is StateRowLimit by default. If the argument is max (limit=max), then the value of StateRowLimit is used. |
| Minimum | 0 | |||
[b] Optional parameters use their default value unless explicitly set. | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
limitcan be omitted; the following forms of this function are equivalent:logscale Syntaxhead("value")and:
logscale Syntaxhead(limit="value")These examples show basic structure only.
Note
The head() function is often used with
Sequence Query Functions, as these functions must
be used after an aggregator function to ensure event ordering.
head()Examples
Click next to an example below to get the full details.
Calculate Running Average of Field Values
Calculate a running average of values in a dataset using the
accumulate() function
Query
head()
| accumulate(avg(value))Introduction
In this example, the accumulate() function is used
with the avg() function to calculate a running
average of the field value.
Note that the accumulate() function must be used
after an aggregator function, in this example the
head() function, to ensure event ordering.
Example incoming data might look like this:
| key | value |
|---|---|
| a | 5 |
| b | 6 |
| c | 1 |
| d | 2 |
Step-by-Step
Starting with the source repository events.
- logscale
head()Ensures that the events are ordered by time, selecting the oldest events.
- logscale
| accumulate(avg(value))Computes the running average of all values, including the current one, using the
accumulate()function with theavg()aggregator. Event Result set.
Summary and Results
The query is used to calculate the running average of fields. The query calculates moving averages that change as new values arrive.
Sample output from the incoming example data:
| _avg | key | value |
|---|---|---|
| 5 | a | 5 |
| 5.5 | b | 6 |
| 4 | c | 1 |
| 3.5 | d | 2 |