Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

rare

Description

Displays the least common values of a field.

Finds the least frequent tuple of values of all fields in the field list. If the <by-clause> is specified, this command returns rare tuples of values for each distinct tuple of values of the group-by fields.

This command operates identically to the top command, except that the rare command finds the least frequent instead of the most frequent.

Syntax

rare [<top-options>...] <field-list> [<by-clause>]

Required arguments

<field-list>
Syntax: <string>,...
Description: Comma-delimited list of field names.

Optional arguments

<top-options>
Syntax: countfield=<string> | limit=<int> | percentfield=<string> | showcount=<bool> | showperc=<bool>
Description: Options that specify the type and number of values to display. These are the same <top-options> used by the top command.
<by-clause>
Syntax: BY <field-list>
Description: The name of one or more fields to group by.

Top options

countfield
Syntax: countfield=<string>
Description: The name of a new field to write the value of count into.
Default: "count"
limit
Syntax: limit=<int>
Description: Specifies how many tuples to return. If you specify limit=0, all values up to maxresultrows are returned. See Limits section. Specifying a value larger than maxresultrows produces an error.
Default: 10
percentfield
Syntax: percentfield=<string>
Description: Name of a new field to write the value of percentage.
Default: "percent"
showcount
Syntax: showcount=<bool>
Description: Specify whether to create a field called "count" (see "countfield" option) with the count of that tuple.
Default: true
showperc
Syntax: showperc=<bool>
Description: Specify whether to create a field called "percent" (see "percentfield" option) with the relative prevalence of that tuple.
Default: true

Usage

The rare command is a transforming command. See Command types.

The number of results returned by the rare command is controlled by the limit argument. The default value for the limit argument is 10. You can change this limit up to the maximum value specified in the maxresultrows setting in the [rare] stanza in the limits.conf file. The default maximum is 50,000, which effectively keeps a ceiling on the memory that the rare command uses.

Examples

1. Return the least common values in a field

Return the least common values in the "url" field. Limits the number of values returned to 5.

... | rare url limit=5

2. Return the least common values organized by host

Find the least common values in the "user" field for each "host" value. By default, a maximum of 10 results are returned.

... | rare user by host

See also

top, stats, sirare

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the rare command.

Retrieved from "https://docs.splunk.com/index.php?title=Documentation:Splunk:SearchReference:Rare:4.1&oldid=1022361"
PREVIOUS
rangemap 		  NEXT
regex

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.4, 6.4.10, 6.4.11, 6.0.1, 6.4.3, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.3.0, 7.3.1, 6.4.5, 6.4.6, 6.4.7

Comments

How do you define RARE what is the stats that decide how rare is rare

Mcronkrite
March 13, 2014

Thanks! It's been updated. ^_^

Sophy, Splunker
June 20, 2013

Under Top Options, you say limit= when it should be limit=. You also don't document rare= under Top Options.

Gpullis
March 22, 2011

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters