Learn more about the Cortex Query Language limit stage that sets the maximum number of records that can be returned in the result set.
Syntax
limit <number>Description
The limit stage sets the maximum number of records that can be returned in the result set. To help reduce the Cortex Query Language (XQL) response time, the default results for a Cortex Data Model (XDM) query or an XQL basic query is limited to 1000, when no limit is explicitly stated in the query. This applies to basic queries with no stages except the fields stage. This default limit does not apply to widgets, Correlation Rules, public APIs, saved queries, or scheduled queries, where the limit is a maximum of 1,000,000 results.
Using a small limit can greatly increase the performance of your query by reducing the number of records that Cortex XSIAM can return in the result set.
Examples
Set the maximum number of records returned by the query to 10.
dataset = xdr_data | limit 10