Skip to content

limit - Limit number of response documents

The limit operator limits the output of a query to a specified number of events.

Syntax

limit <event-count>

Example - Get top 100 Users by Activity

Consider the following document:

{
    "path": "/home",
    "user": "chris"
},
{
    "path": "/home",
    "user": "dave"
},
{
    "path": "/home",
    "user": "maya"
}

In order for us to count activity, we'll need to perform an aggregation to count the number of logs:

groupby user calculate count()

If we have more than 100 users, then we won't get the top 100 users here. We first need to sort by the new count field, and then limit:

groupby user calculate count() as hit_count | orderby hit_count | limit 100

This will return an aggregated view of the first (top) 100 users.

NOTE: We've used groupby, orderby and limit in this example to illustrate how limit works, but we can achieve the same outcome with the top command.