rare

rare

Synopsis

Displays the least common values of a field.

Syntax

rare <top-opt>* <field-list> [<by-clause>]

Required arguments

<field-list>

Syntax: <string>,...

Description: Comma-delimited list of field names.

<top-opt>

Syntax: countfield=<string> | limit=<int> | percentfield=<string> | showcount=<bool> | showperc=<bool>

Description: Options for rare (same as top).

Optional arguments

<by-clause>

Syntax: by <field-list>

Description: The name of one or more fields to group by.

Top options

countfield

Syntax: countfield=<string>

Description: Name of a new field to write the value of count, default is "count".

limit

Syntax: limit=<bool>

Description: Specifies how many tuples to return, "0" returns all values.

percentfield

Syntax: percentfield=<string>

Description: Name of a new field to write the value of percentage, default is "percent".

showcount

Syntax: showcount=<bool>

Description: Specify whether to create a field called "count" (see "countfield" option) with the count of that tuple. Default is true.

showpercent

Syntax: showpercent=<bool>

Description: Specify whether to create a field called "percent" (see "percentfield" option) with the relative prevalence of that tuple. Default is true.

Description

Finds the least frequent tuple of values of all fields in the field list. If optional by-clause is specified, this command will return rare tuples of values for each distinct tuple of values of the group-by fields.

Examples

Example 1: Return the least common values of the "url" field.

Example 2: Find the least common "user" value for a "host".

See also

top, stats, sirare

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the rare command.

• Was this topic useful?
• Post a comment