Splunk® Enterprise

Search Manual

Download manual as PDF

Download topic as PDF

Visualize field value highs and lows

This topic discusses how to use the transforming commands, top and rare, to create charts that display the most and least common values.

The top and rare commands

The top command returns the most frequent values of a specified field in your returned events. The rare command, returns the least common value of a specified field in your returned events. Both commands share the same syntax. If you don't specify a limit, the default number of values displayed in a top or rare is ten.


Examples

Example 1: Generate a report that sorts through firewall information to list the top 100 destination ports used by your system:

sourcetype=firewall | top limit=100 dst_port

Example 2: Generate a report that shows you the source ports with the lowest number of denials.

sourcetype=firewall action=Deny | rare src_port

A more complex example of the top command

Say you're indexing an alert log from a monitoring system, and you have two fields:

  • msg is the message, such as CPU at 100%.
  • mc_host is the host that generates the message, such as log01.

How do you get a report that displays the top msg and the values of mc_host that sent them, so you get a table like this:

Messages by mc_host
CPU at 100%
log01
log02
log03
Log File Alert
host02
host56
host11

To do this, set up a search that finds the top message per mc_host (using limit=1 to only return one) and then sort by the message count in descending order:

sourcetype=alert_log | top 1 msg by mc_host | sort count

PREVIOUS
Create charts that are not (necessarily) time-based
  NEXT
Create reports that display summary statistics

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 7.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters