Related Answers
Download topic as PDF
rare
Description
Displays the least common values of a field.
Finds the least frequent tuple of values of all fields in the field list. If the <by-clause> is specified, this command returns rare tuples of values for each distinct tuple of values of the group-by fields.
This command operates identically to the top command, except that the rare command finds the least frequent instead of the most frequent.
Syntax
rare [<top-options>...] <field-list> [<by-clause>]
Required arguments
- <field-list>
- Syntax: <string>,...
- Description: Comma-delimited list of field names.
Optional arguments
- <top-options>
- Syntax: countfield=<string> | limit=<int> | percentfield=<string> | showcount=<bool> | showperc=<bool>
- Description: Options that specify the type and number of values to display. These are the same <top-options> used by the
topcommand.
- <by-clause>
- Syntax: BY <field-list>
- Description: The name of one or more fields to group by.
Top options
- countfield
- Syntax: countfield=<string>
- Description: The name of a new field to write the value of count into.
- Default: "count"
- limit
- Syntax: limit=<int>
- Description: Specifies how many tuples to return. If you specify
limit=0, all values up to maxresultrows are returned. See Limits section. Specifying a value larger than maxresultrows produces an error. - Default: 10
- percentfield
- Syntax: percentfield=<string>
- Description: Name of a new field to write the value of percentage.
- Default: "percent"
- showcount
- Syntax: showcount=<bool>
- Description: Specify whether to create a field called "count" (see "countfield" option) with the count of that tuple.
- Default: true
- showperc
- Syntax: showperc=<bool>
- Description: Specify whether to create a field called "percent" (see "percentfield" option) with the relative prevalence of that tuple.
- Default: true
Usage
The rare command is a transforming command. See Command types.
The number of results returned by the rare command is controlled by the limit argument. The default value for the limit argument is 10. You can change this limit up to the maximum value specified in the maxresultrows setting in the [rare] stanza in the limits.conf file. The default maximum is 50,000, which effectively keeps a ceiling on the memory that the rare command uses.
Examples
1. Return the least common values in a field
Return the least common values in the "url" field. Limits the number of values returned to 5.
... | rare url limit=5
2. Return the least common values organized by host
Find the least common values in the "user" field for each "host" value. By default, a maximum of 10 results are returned.
... | rare user by host
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the rare command.
|
PREVIOUS rangemap |
NEXT regex |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 6.3.1, 6.6.9, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 7.0.10, 7.0.11, 7.0.13
Feedback submitted, thanks!