Displays the most common values of a field.
Finds the most frequent tuple of values of all fields in the field list, along with a count and percentage. If the optional by-clause is included, the command finds the most frequent values for each distinct tuple of values of the group-by fields.
top [<N>] [<top-options>...] <field-list> [<by-clause>]
- Syntax: <field>, <field>, ...
- Description: Comma-delimited list of field names.
- Syntax: <int>
- Description: The number of results to return.
- Syntax: countfield=<string> | limit=<int> | otherstr=<string> | percentfield=<string> | showcount=<bool> | showperc=<bool> | useother=<bool>
- Description: Options for the
topcommand. See Top options.
- Syntax: BY <field-list>
- Description: The name of one or more fields to group by.
- Syntax: countfield=<string>
- Description: The name of a new field that the value of count is written to.
- Default: "count"
- Syntax: limit=<int>
- Description: Specifies how many tuples to return, "0" returns all values.
- Default: "10"
- Syntax: otherstr=<string>
- Description: If useother is true, specify the value that is written into the row representing all other values.
- Default: "OTHER"
- Syntax: percentfield=<string>
- Description: Name of a new field to write the value of percentage.
- Default: "percent"
- Syntax: showcount=<bool>
- Description: Specify whether to create a field called "count" (see "countfield" option) with the count of that tuple.
- Default: true
- Syntax: showperc=<bool>
- Description: Specify whether to create a field called "percent" (see "percentfield" option) with the relative prevalence of that tuple.
- Default: true
- Syntax: useother=<bool>
- Description: Specify whether or not to add a row that represents all values not included due to the limit cutoff.
- Default: false
By default the
top command returns a maximum of 50,000 results.
This maximum is controlled by the
maxresultrows setting in the
[top] stanza in the limits.conf file. Increasing this limit can result in more memory usage.
Only users with file system access, such as system administrators, can edit the configuration files. Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make the changes in the local directory.
If you are using Splunk Cloud and want to edit the configuration file, file a Support ticket.
Example 1: Return the 20 most common values for a field
This search returns the 20 most common values of the "referer" field. The results show the number of events (count) that have that a count of referer, and the percent that each referer is of the total number of events.
sourcetype=access_* | top limit=20 referer
Example 2: Return top values for one field organized by another field
This search returns the top "action" values for each "referer_domain".
sourcetype=access_* | top action by referer_domain
Because a limit is not specified, this returns all the combinations of values for "action" and "referer_domain" as well as the counts and percentages:
Example 3: Returns the top product purchased for each category
This search returns the top product purchased for each category. Do not show the percent field. Rename the count field to "total".
sourcetype=access_* status=200 action=purchase | top 1 productName by categoryId showperc=f countfield=total
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the top command.
This documentation applies to the following versions of Splunk Cloud™: 6.5.0, 6.5.1, 6.5.1612, 6.6.0, 6.6.1, 6.6.3