rare
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
rare
Synopsis
Displays the least common values of a field.
Syntax
rare [<top-opt>]* <field-list> [<by-clause>]
Arguments
- <by-clause>
- Syntax: by <field-list>
- Description: The name of one or more fields to group by.
- <field-list>
- Syntax: <string>,...
- Description: Comma-delimited list of field names.
- <top-opt>
- Syntax: countfield=<string> | limit=<int> | percentfield=<string> | rare=<bool> | showcount=<bool> | showperc=<bool>
- Description: Options for rare (same as top).
Top options
- countfield
- Syntax: countfield=<string>
- Description: Name of a new field to write the value of count, default is "count".
- limit
- Syntax: limit=<bool>
- Description: Specifies how many tuples to return, "0" returns all values.
- percentfield
- Syntax: percentfield=<string>
- Description: Name of a new field to write the value of percentage, default is "percent".
- showcount
- Syntax: showcount=<bool>
- Description: Specify whether to create a field called "count" (see "countfield" option) with the count of that tuple. Default is true.
- showpercent
- Syntax: showpercent=<bool>
- Description: Specify whether to create a field called "percent" (see "percentfield" option) with the relative prevalence of that tuple. Default is true.
Description
Finds the least frequent tuple of values of all fields in the field list. If optional by-clause is specified, this command will return rare tuples of values for each distinct tuple of values of the group-by fields.
Examples
Example 1: Return the least common values of the "url" field.
... | rare urlExample 2: Find the least common "user" value for a "host".
... | rare user by hostSee also
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.