Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Synopsis

Displays the first n search query results

Used to display the first specified number of events resulting from a Simple Search, or the first specified number of summary table entries resulting from a Complex Search.

Syntax

first [number_of_results] for each [group]

Required Arguments

number_of_results

Syntax: <numeric>

Description: The number of first search results to display

Optional Arguments

None

Description

Returns the first n events from the search query results

for each group

Syntax: for each <column name>

Description: The column name on which the first specific number should display.

Description

When used immediately following a Simple Search query, returns the specified number of first events resulting from the search. When used immediately following a Complex Search query, returns the specified number of first entries from the summary table resulting from the search.

Examples

Example

1:

  

* in log.access | first 1132

Returns the first

11 events from access log

32 events from access log.

Example 2:

http in log.iis log| max time-taken | group by c-ip | first 21

Returns the max time-taken value from events in log.iis log having http in their column values, for the first 21 c-ip values only.

Example 3:

error in log.xpologlog | count | group by class, method | first 2 for each class

Returns the 2 methods that appeared most in each class in log.xpologlog log having error in their column values.

Example 4:

error in log.xpologlog | count | group by message | interval 1 hour | first 2 for each interval

Returns the 2 messages that appeared most in each 1-hour interval in log.xpologlog log having error in their column values.