nano SIEM
Search Commands

head

head

Return the first N results from your search.

Description

The head command limits results to the first N events or rows. This is useful for sampling data, testing queries, or focusing on the most recent or highest-ranked results when combined with sorting.

When used without other commands, head returns the first N raw events. When used after aggregations or sorting, it returns the first N aggregated rows.

Syntax

... | head [<count>]

Optional Arguments

count
Syntax: <int> or count=<int>
Description: Number of results to return
Default: 10

Examples

Get first 10 results (default)

* | head

Returns the first 10 events.

Get first 20 results

* | head 20

Returns the first 20 events.

Sample data for testing

status=500 | head 5

Quickly examine 5 error events.

Top N after sorting

* | stats count() by user
  | sort -count
  | head 10

Shows the top 10 users by event count.

Preview aggregation results

* | stats count() by src_ip, dest_port
  | head 25

Shows first 25 rows of aggregated data.

Most recent events

* | sort -timestamp
  | head 100

Gets the 100 most recent events.

Top endpoints by response time

* | stats avg(response_time) as avg_time by endpoint
  | sort -avg_time
  | head 5

Shows the 5 slowest endpoints.

Quick data exploration

source_type="firewall" | head 1

Examines a single firewall event to understand field structure.

Limit after filtering

action=login status=failure
| head 50

Gets first 50 failed login attempts.

Combined with table

* | head 100
  | table timestamp, user, action, src_ip

Shows specific fields from first 100 events.

After deduplication

* | dedup user
  | head 20

Gets first 20 unique users.

Top values with details

* | stats count() as events, 
         values(dest_port) as ports
  by src_ip
  | sort -events
  | head 10

Shows top 10 IPs with their associated ports.

Usage Notes

Default behavior: Without a count argument, head returns 10 results.

Performance: Using head early in your query can improve performance by limiting data processing in subsequent commands.

Order matters: Results depend on the order they arrive. Use sort before head to ensure consistent results.

Sampling: head is useful for sampling data, but results may not be representative of the entire dataset.

Pagination: For pagination, consider using head with different offsets or time ranges.

Raw events: When used on raw events without sorting, head returns events in the order they're retrieved from storage (typically chronological).

  • tail - Get last N results
  • sort - Order results before limiting
  • top - Automatically get most common values
  • table - Select specific fields to display

funnel

Previous Page

inputlookup

Next Page

Edit this page on GitHub
On this page

On this page

head
Description
Syntax
Optional Arguments
Examples
Get first 10 results (default)
Get first 20 results
Sample data for testing
Top N after sorting
Preview aggregation results
Most recent events
Top endpoints by response time
Quick data exploration
Limit after filtering
Combined with table
After deduplication
Top values with details
Usage Notes
Related Commands