Displays the most common values of a field.

Finds the most frequent tuple of values of all fields in the field list, along with a count and percentage. If the optional by-clause is included, the command finds the most frequent values for each distinct tuple of values of the group-by fields.


top [<N>] [<top-options>...] <field-list> [<by-clause>]

Required arguments

Syntax: <field>, <field>, ...
Description: Comma-delimited list of field names.

Optional arguments

Syntax: <int>
Description: The number of results to return.
Syntax: countfield=<string> | limit=<int> | otherstr=<string> | percentfield=<string> | showcount=<bool> | showperc=<bool> | useother=<bool>
Description: Options for the top command. See Top options.
Syntax: BY <field-list>
Description: The name of one or more fields to group by.

Top options

Syntax: countfield=<string>
Description: The name of a new field that the value of count is written to.
Default: "count"
Syntax: limit=<int>
Description: Specifies how many tuples to return, "0" returns all values.
Default: "10"
Syntax: otherstr=<string>
Description: If useother is true, specify the value that is written into the row representing all other values.
Default: "OTHER"
Syntax: percentfield=<string>
Description: Name of a new field to write the value of percentage.
Default: "percent"
Syntax: showcount=<bool>
Description: Specify whether to create a field called "count" (see "countfield" option) with the count of that tuple.
Default: true
Syntax: showperc=<bool>
Description: Specify whether to create a field called "percent" (see "percentfield" option) with the relative prevalence of that tuple.
Default: true
Syntax: useother=<bool>
Description: Specify whether or not to add a row that represents all values not included due to the limit cutoff.
Default: false


By default the top command returns a maximum of 50,000 results. This maximum is controlled by the maxresultrows setting in the [top] stanza in the limits.conf file. Increasing this limit can result in more memory usage.

Only users with file system access, such as system administrators, can edit the configuration files. Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make the changes in the local directory.

See How to edit a configuration file.

If you are using Splunk Cloud and want to edit the configuration file, file a Support ticket.


Example 1: Return the 20 most common values for a field

This search returns the 20 most common values of the "referer" field. The results show the number of events (count) that have that a count of referer, and the percent that each referer is of the total number of events.

sourcetype=access_* | top limit=20 referer

This screen image shows the results of the search. There are three columns in the results: referer, count, and percent.

Example 2: Return top values for one field organized by another field

This search returns the top "action" values for each "referer_domain".

sourcetype=access_* | top action by referer_domain

Because a limit is not specified, this returns all the combinations of values for "action" and "referer_domain" as well as the counts and percentages:

This screen image shows the results of the search. The results display four columns: referer_domain, action, count, and percent.

Example 3: Returns the top product purchased for each category

This search returns the top product purchased for each category. Do not show the percent field. Rename the count field to "total".

sourcetype=access_* status=200 action=purchase | top 1 productName by categoryId showperc=f countfield=total

This screen image shows the results of the search. The results shows three columns: categoryId, productName, and total.

This documentation applies to the following versions of Splunk Cloud: 6.5.0, 6.5.1, 6.5.1612, 6.6.0, 6.6.1, 6.6.3

