_limit is a query directive used to limit the number of rows in a result set to the integer value specified in the query function. _limit always picks (includes) rows from the top of the result set of the previous query function in the pipeline.


The generic syntax of the _limit directive is as given below: _limit <integer>


Take a look at the example given below:

_fetch * from event where $LogType=FIREWALL group count_unique $SrcIP limit 100
>>_limit 7


1. The _fetch directive retrieves all fields for each event in the event index where $LogType is FIREWALL. The result set is grouped by unique values of $SrcIP along with a count (count_unique) for each group. The result set is sorted in the descending order of count_unique (by default). It is then limited to 100 rows. The output is as shown below:

resultset comprises of events from all firewalls

2. In the pipelined query function, the _limit directive limits the result set to the first 7 rows (from the top of the result set). The output is as shown below:

limit directive limits the number of rows to be displayed