Splunk Cloud Platform

Search Reference



Displays the least common values in a field.

Finds the least frequent tuple of values of all fields in the field list. If the <by-clause> is specified, this command returns rare tuples of values for each distinct tuple of values of the group-by fields.

This command operates identically to the top command, except that the rare command finds the least frequent values instead of the most frequent values.


rare [<rare-options>...] <field-list> [<by-clause>]

Required arguments

Syntax: <string>,...
Description: Comma-delimited list of field names.

Optional arguments

Syntax: countfield=<string> | limit=<int> | percentfield=<string> | showcount=<bool> | showperc=<bool>
Description: Options that specify the type and number of values to display. These are the same as the <top-options> used by the top command.
Syntax: BY <field-list>
Description: The name of one or more fields to group by.

Rare options

Syntax: countfield=<string>
Description: The name of a new field to write the value of count into.
Default: "count"
Syntax: limit=<int>
Description: Specifies how many tuples to return. If you specify limit=0, all values up to the maxresultrows are returned. Specifying a value larger than the maxresultrows produces an error. See Usage.
Default: 10
Syntax: percentfield=<string>
Description: Name of a new field to write the value of percentage.
Default: "percent"
Syntax: showcount=<bool>
Description: Specifies whether to add a field to your results with the count of the tuple. The name of the field is controlled by the countield argument.
Default: true
Syntax: showperc=<bool>
Description: Specifies whether to add a field to your results with the relative prevalence of that tuple. The name of the field is controlled by the percentfield argument.
Default: true


The rare command is a transforming command. See Command types.

Limit maximum

The number of results returned by the rare command is controlled by the limit argument. The default value for the limit argument is 10. The default maximum is 50,000, which effectively keeps a ceiling on the memory that the rare command uses.

You can change this limit up to the maximum value specified in the maxresultrows setting in the [rare] stanza in the limits.conf file.

Splunk Cloud Platform
To change the maxresultrows setting, request help from Splunk Support. If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Splunk Customer Support.
Splunk Enterprise
To change the the maxresultrows setting in the limits.conf file, follow these steps.
  • Only users with file system access, such as system administrators, can edit configuration files.
  • Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.

  1. Open or create a local limits.conf file in the desired path. For example, use the $SPLUNK_HOME/etc/apps/search/local path to apply this change only to the Search app.
  2. Under the [rare] stanza, change the value for the maxresultrows setting.


1. Return the least common values in a field

Return the least common values in the url field. Limits the number of values returned to 5.

... | rare url limit=5

2. Return the least common values organized by host

Find the least common values in the user field for each host value. By default, a maximum of 10 results are returned.

... | rare user by host

See also

Related commands
Last modified on 15 September, 2022
rangemap   regex

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 8.2.2203, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308 (latest FedRAMP release), 9.1.2312, 9.2.2403

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters