_limit is a query directive used to limit the number of rows in a result set to the integer value specified in the query function. _limit always picks (includes) rows from the top of the result set of the previous query function in the pipeline.
The generic syntax of the _limit directive is as given below:
Take a look at the example given below:
_fetch * from event where $LogType=FIREWALL group count_unique $SrcIP limit 100 >>_limit 7
1. The _fetch directive retrieves all fields for each event in the event index where $LogType is FIREWALL. The result set is grouped by unique values of $SrcIP along with a count (count_unique) for each group. The result set is sorted in the descending order of count_unique (by default). It is then limited to 100 rows. The output is as shown below:
2. In the pipelined query function, the _limit directive limits the result set to the first 7 rows (from the top of the result set). The output is as shown below: