Visualize field value highs and lows
This topic discusses how to use the transforming commands, top and rare, to create charts that display the most and least common values.
The top and rare commands
The top command returns the most frequent values of a specified field in your returned events. The rare command, returns the least common value of a specified field in your returned events. Both commands share the same syntax. If you don't specify a limit, the default number of values displayed in a top
or rare
is ten.
Examples
Example 1: Generate a report that sorts through firewall information to list the top 100 destination ports used by your system:
sourcetype=firewall | top limit=100 dst_port
Example 2: Generate a report that shows you the source ports with the lowest number of denials.
sourcetype=firewall action=Deny | rare src_port
A more complex example of the top command
Say you're indexing an alert log from a monitoring system, and you have two fields:
msg
is the message, such asCPU at 100%
.mc_host
is the host that generates the message, such aslog01
.
How do you get a report that displays the top msg
and the values of mc_host
that sent them, so you get a table like this:
Messages by mc_host |
CPU at 100% |
log01 |
log02 |
log03 |
Log File Alert |
host02 |
host56 |
host11 |
To do this, set up a search that finds the top message
per mc_host
(using limit=1
to only return one) and then sort
by the message count
in descending order:
sourcetype=alert_log | top 1 msg by mc_host | sort count
Create charts that are not (necessarily) time-based | Create reports that display summary statistics |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2203, 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!