head
import { Aside } from ‘@astrojs/starlight/components’;
The head command returns the first N results from a search result. The default number of results is 10. An optional offset skips a specified number of results before returning, enabling simple pagination.
head is commonly placed at the end of a pipeline after sort to implement top-N queries (for example, “show the 10 slowest traces”). During exploration, always use head to limit the volume of data scanned and returned.
Syntax
Section titled “Syntax”head [<size>] [from <offset>]Arguments
Section titled “Arguments”| Argument | Required | Type | Default | Description |
|---|---|---|---|---|
<size> | No | Integer | 10 | The number of results to return. Must be a positive integer. |
<offset> | No | Integer | 0 | The number of results to skip before returning. Used with the from keyword. Must be a non-negative integer. |
Usage notes
Section titled “Usage notes”- Always use during exploration. Adding
headat the end of a query prevents scanning the entire result set when you only need a sample. - Combine with
sortfor top-N patterns. The idiomatic way to get “top N by some metric” in PPL issort - <field> | head N. - Offset enables simple pagination. Use
head <size> from <offset>to page through results. For example,head 10 from 20returns results 21 through 30. - Order matters.
headoperates on whatever the pipeline has produced up to that point. Placing it beforesortlimits the rows that get sorted; placing it aftersortlimits the sorted output.
Examples
Section titled “Examples”Return the default number of results
Section titled “Return the default number of results”Return the first 10 log entries (the default):
| headReturn a specific number of results
Section titled “Return a specific number of results”Return the first 50 results:
| head 50Skip results with an offset
Section titled “Skip results with an offset”Return 10 results starting from the 21st result (skip the first 20):
| head 10 from 20Top-N pattern: slowest traces
Section titled “Top-N pattern: slowest traces”Combine sort and head to find the 10 slowest spans:
source = otel-v1-apm-span-*| sort - durationInNanos| head 10Top-N pattern: services with the most errors (OTel logs)
Section titled “Top-N pattern: services with the most errors (OTel logs)”Count error logs per service, sort descending, and return the top 5:
| where severityText = 'ERROR'| stats count() as error_count by `resource.attributes.service.name`| sort - error_count| head 5Extended examples
Section titled “Extended examples”Paginate through recent error logs
Section titled “Paginate through recent error logs”Page through error logs 20 at a time. This query returns the second page (results 21-40):
| where severityText = 'ERROR'| sort - time| head 20 from 20Sample logs from each OTel service
Section titled “Sample logs from each OTel service”Get a quick sample of 5 logs per service by combining dedup and head:
source = logs-otel-v1*| dedup 5 `resource.attributes.service.name`| sort - timeThis is useful for initial exploration of what data each service is producing, without scanning the entire index.
See also
Section titled “See also”- sort - Sort results before applying
headfor top-N queries - dedup - Deduplicate results for unique combinations
- PPL Command Reference - All PPL commands
- Observability Examples - Real-world OTel queries