Documentation > Splunk > Search Reference > top

Search Reference

 


Introduction
Search Overview
Search Reference Overview
Search Commands and Functions
Search Command Reference
Custom Search Commands
Search in the CLI

top

Contents

top

Synopsis

Displays the most common values of a field.

Syntax

top <top-opt>* <field-list> [<by-clause>]

Required arguments

<field-list>
Syntax: <field>, ...
Description: Comma-delimited list of field names.
<top-opt>
Syntax: countfield=<string> | limit=<int> | otherstr=<string> | percentfield=<string> | rare=<bool> | showcount=<bool> | showperc=<bool> | useother=<bool>
Description: Options for top.

Optional arguments

<by-clause>
Syntax: by <field-list>
Description: The name of one or more fields to group by.

Top options

countfield
Syntax: countfield=<string>
Description: Name of a new field to write the value of count, default is "count".
limit
Syntax: limit=<int>
Description: Specifies how many tuples to return, "0" returns all values. Default is "10".
otherstr
Syntax: otherstr=<string>
Description: If useother is true, specify the value that is written into the row representing all other values. Default is "OTHER".
percentfield
Syntax: percentfield=<string>
Description: Name of a new field to write the value of percentage, default is "percent".
rare
Syntax: rare=<bool>
Description: When true, evokes the behavior of calling the rare command; default is false.
showcount
Syntax: showcount=<bool>
Description: Specify whether to create a field called "count" (see "countfield" option) with the count of that tuple. Default is true.
showperc
Syntax: showperc=<bool>
Description: Specify whether to create a field called "percent" (see "percentfield" option) with the relative prevalence of that tuple. Default is true.
useother
Syntax: useother=<bool>
Description: Specify whether or not to add a row that represents all values not included due to the limit cutoff. Default is false.

Description

Finds the most frequent tuple of values of all fields in the field list, along with a count and percentage. If a the optional by-clause is provided, we will find the most frequent values for each distinct tuple of values of the group-by fields.

Examples

Example 1: Return the 20 most common values of the "url" field.

... | top limit=20 url

Example 2: Return top "user" values for each "host".

... | top user by host

Example 3: Return top URL values.

... | top url


See also

rare, sitop, stats

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the top command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/Top"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!