Synopsis

Used to display the first specified number of events resulting from a Simple Search, or the first specified number of summary table entries resulting from a Complex Search.

Syntax

Required Arguments

Syntax: <numeric>

Description: The number of first search results to display

Optional Arguments

for each group

Syntax: for each <column name>

Description: The column name on which the first specific number should display.

Description

When used immediately following a Simple Search query, returns the specified number of first events resulting from the search. When used immediately following a Complex Search query, returns the specified number of first entries from the summary table resulting from the search.

Examples

Example 1:

Returns the first 32 events from access log.

Example 2:

Returns the max time-taken value from events in log.iis log having http in their column values, for the first 21 c-ip values only.

Example 3:

error in log.xpologlog | count | group by class, method | first 2 for each class

Returns the 2 methods that appeared most in each class in log.xpologlog log having error in their column values.

Example 4:

error in log.xpologlog | count | group by message | interval 1 hour | first 2 for each interval

Returns the 2 messages that appeared most in each 1-hour interval in log.xpologlog log having error in their column values.