Splunk: top & rare Command

This guide is based on Splunk Documentation.

Top & Rare

Top and rare command have same exact option but do the opposite work. top returns result with the most common values of fields, while rare returns least common values of fields. Both are transforming commands.

Syntax: top [<N>] [<top-options> ….] <field-list> [<by-clause>]

rare [<N>] [<top-options> ….] <field-list> [<by-clause>]

The option <field-list> contains comma-delimited list of field name. <N> is used to specify the maximum number of results should return. The default of <N> is 10. <by-clause> groups the results by the fields specified in the <by-clause>.

Top options: countfield, percentfield, showcount, showperc, limit, otherstr, useother.

limit is same as <N>. countfiled is used to specidy the name of count field, while percentfield is for percentage field. otherstr is used to name the row of fields that otherwise would be excluded due to limit option of the command. The default value of otherstr is OTHER. showcount, showperc, useother is used to specify whether these columns should appear in the result. Default value of showcount, showperc is true.