The limit operator in Axiom Processing Language (APL) allows you to restrict the number of rows returned from a query. It’s particularly useful when you want to see only a subset of results from large datasets, such as when debugging or previewing query outputs. The limit operator can help optimize performance and focus analysis by reducing the amount of data processed.

Use the limit operator when you want to return only the top rows from a dataset, especially in cases where the full result set isn’t necessary.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

In Splunk, the equivalent to APL’s limit is the head command, which also returns the top rows of a dataset. The main difference is in the syntax.

```sql Splunk example | head 10 ``` 
['sample-http-logs'] 
| limit 10

In ANSI SQL, the LIMIT clause is equivalent to the limit operator in APL. The SQL LIMIT statement is placed at the end of a query, whereas in APL, the limit operator comes after the dataset reference.

```sql SQL example SELECT * FROM sample_http_logs LIMIT 10; ``` 
['sample-http-logs'] 
| limit 10

Usage

Syntax

| limit [N]

Parameters

  • N: The maximum number of rows to return. This must be a non-negative integer.

Returns

The limit operator returns the top N rows from the input dataset. If fewer than N rows are available, all rows are returned.

When using `limit` with `summarize` where the first grouping expression is a time bin, the limit behavior differs: Axiom computes the global top **N** groups across all time buckets, then limits each time bucket to only include those groups. This can result in more than **N** total rows. For more information, see [summarize](/apl/tabular-operators/summarize-operator#limit-behavior-with-time-binning).

Use case examples

In log analysis, you often want to view only the most recent entries, and limit can help narrow the focus on those rows.

Query

['sample-http-logs']
| limit 5

Run in Playground

Output

_time req_duration_ms id status uri method geo.city geo.country
2024-10-17T12:00:00 200 123 200 /index.html GET New York USA
2024-10-17T11:59:59 300 124 404 /notfound.html GET London UK

This query limits the output to the first 5 rows from the ['sample-http-logs'] dataset, returning recent HTTP log entries.

When analyzing OpenTelemetry traces, you may want to focus on the most recent traces.

Query

['otel-demo-traces']
| limit 5

Run in Playground

Output

_time duration span_id trace_id service.name kind status_code
2024-10-17T12:00:00 500ms 1abc 123xyz frontend server OK
2024-10-17T11:59:59 200ms 2def 124xyz cartservice client OK

This query retrieves the first 5 rows from the ['otel-demo-traces'] dataset, helping you analyze the latest traces.

For security log analysis, you might want to review the most recent login attempts to ensure no anomalies exist.

Query

['sample-http-logs']
| where status == '401'
| limit 5

Run in Playground

Output

_time req_duration_ms id status uri method geo.city geo.country
2024-10-17T12:00:00 300 567 401 /login.html POST Berlin Germany
2024-10-17T11:59:59 250 568 401 /login.html POST Sydney Australia

This query limits the output to 5 unauthorized access attempts (401 status code) from the ['sample-http-logs'] dataset.
  • take: Similar to limit, but explicitly focuses on row sampling.
  • top: Retrieves the top N rows sorted by a specific field.
  • sample: Randomly samples N rows from the dataset.

Good morning

I'm here to help you with the docs.

I
AIBased on your context