Displays the least common values of a field.
Finds the least frequent tuple of values of all fields in the field list. If the <by-clause> is specified, this command returns rare tuples of values for each distinct tuple of values of the group-by fields.
This command operates identically to the
top command, except that the
rare command finds the least frequent instead of the most frequent.
rare [<top-options>...] <field-list> [<by-clause>]
- Syntax: <string>,...
- Description: Comma-delimited list of field names.
- Syntax: countfield=<string> | limit=<int> | percentfield=<string> | showcount=<bool> | showperc=<bool>
- Description: Options that specify the type and number of values to display. These are the same <top-options> used by the
- Syntax: BY <field-list>
- Description: The name of one or more fields to group by.
- Syntax: countfield=<string>
- Description: The name of a new field to write the value of count into.
- Default: "count"
- Syntax: limit=<int>
- Description: Specifies how many tuples to return. If you specify
limit=0, all values up to maxresultrows are returned. See Limits section. Specifying a value larger than maxresultrows produces an error.
- Default: 10
- Syntax: percentfield=<string>
- Description: Name of a new field to write the value of percentage.
- Default: "percent"
- Syntax: showcount=<bool>
- Description: Specify whether to create a field called "count" (see "countfield" option) with the count of that tuple.
- Default: true
- Syntax: showperc=<bool>
- Description: Specify whether to create a field called "percent" (see "percentfield" option) with the relative prevalence of that tuple.
- Default: true
The number of results returned by the
rare command is controlled by the
limit argument. The default value for the
limit argument is 10. You can change this limit up to the maximum value specified in the
maxresultrows setting in the
[rare] stanza in the limits.conf file. The default maximum is 50,000, which effectively keeps a ceiling on the memory that the
rare command uses.
1. Return the least common values in a field
Return the least common values in the "url" field. Limits the number of values returned to 5.
... | rare url limit=5
2. Return the least common values organized by host
Find the least common values in the "user" field for each "host" value. By default, a maximum of 10 results are returned.
... | rare user by host
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the rare command.
This documentation applies to the following versions of Splunk Cloud™: 7.0.11, 7.0.13, 7.1.3, 7.1.6, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 8.0.2001