Splunk® Enterprise

Search Reference

Splunk Enterprise versions higher than version 9.4.2 are documented on our new documentation portal only. To get started, see the Splunk Enterprise page on help.splunk.com and the Splunk Enterprise 9.4.3 release notes. For information about how version selection works in the new portal, see Version selection on the About This Site page.

rare

Description

Displays the least common values in a field.

Finds the least frequent tuple of values of all fields in the field list. If the <by-clause> is specified, this command returns rare tuples of values for each distinct tuple of values of the group-by fields.

This command operates identically to the top command, except that the rare command finds the least frequent values instead of the most frequent values.

Syntax

rare [<rare-options>...] <field-list> [<by-clause>]

Required arguments

<field-list>
Syntax: <string>,...
Description: Comma-delimited list of field names.

Optional arguments

<rare-options>
Syntax: countfield=<string> | limit=<int> | percentfield=<string> | showcount=<bool> | showperc=<bool>
Description: Options that specify the type and number of values to display. These are the same as the <top-options> used by the top command.
<by-clause>
Syntax: BY <field-list>
Description: The name of one or more fields to group by.

Rare options

countfield
Syntax: countfield=<string>
Description: The name of a new field to write the value of count into.
Default: "count"
limit
Syntax: limit=<int>
Description: Specifies how many tuples to return. If you specify limit=0, all values up to the maxresultrows are returned. Specifying a value larger than the maxresultrows produces an error. See Usage.
Default: 10
percentfield
Syntax: percentfield=<string>
Description: Name of a new field to write the value of percentage.
Default: "percent"
showcount
Syntax: showcount=<bool>
Description: Specifies whether to add a field to your results with the count of the tuple. The name of the field is controlled by the countield argument.
Default: true
showperc
Syntax: showperc=<bool>
Description: Specifies whether to add a field to your results with the relative prevalence of that tuple. The name of the field is controlled by the percentfield argument.
Default: true

Usage

The rare command is a transforming command. See Command types.

Limit maximum

The number of results returned by the rare command is controlled by the limit argument. The default value for the limit argument is 10. The default maximum is 50,000, which effectively keeps a ceiling on the memory that the rare command uses.

You can change this limit up to the maximum value specified in the maxresultrows setting in the [rare] stanza in the limits.conf file.

Splunk Cloud Platform
To change the maxresultrows setting, request help from Splunk Support. If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Splunk Customer Support.
Splunk Enterprise
To change the the maxresultrows setting in the limits.conf file, follow these steps.
Prerequisites
  • Only users with file system access, such as system administrators, can edit configuration files.
  • Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.

Steps
  1. Open or create a local limits.conf file in the desired path. For example, use the $SPLUNK_HOME/etc/apps/search/local path to apply this change only to the Search app.
  2. Under the [rare] stanza, change the value for the maxresultrows setting.

Examples

1. Return the least common values in a field

Return the least common values in the url field. Limits the number of values returned to 5.

... | rare url limit=5

2. Return the least common values organized by host

Find the least common values in the user field for each host value. By default, a maximum of 10 results are returned.

... | rare user by host

See also

Related commands
top
stats
sirare
Last modified on 15 September, 2022
rangemap   regex

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters