Top: Splunk Commands Tutorials & Reference
Commands Category: Filtering
Commands: top
Use: Finds the most common values for the fields in the field list. Calculates a count and a percentage of the frequency the values occur in the events. If the is included, the results are grouped by the field you specify in the . When you use the top command, two fields are added to the results: count and percent.
- countfield-For each value returned by the top command, the results also return a count of the events that have that value.
- limit-Specifies how many results to return. To return all values, specify zero ( 0 ). Specifying top limit=<int> is the same as specifying top N
- otherstr-If useother=true, a row representing all other values is added to the results. Use otherstr=<string> to specify the name of the label for the row.
- percentfield-For each value returned by the top command, the results also return a percentage of the events that have that value.
- showcount-Specify whether to create a field called "count" (see "countfield" option) with the count of that tuple.
- showperc-Specify whether to create a field called "percent" (see "percentfield" option) with the relative prevalence of that tuple.
- useother-Specify whether or not to add a row that represents all values not included due to the limit cutoff.
Using sample data access_30day.log
source="access_30day.log" HTTP 500
source="access_30day.log" HTTP (200 or 30*)
source="access_30day.log" status=404 | sort - uri
source="access_30day.log" | head 1000 | top 50 clientip
source="access_30day.log" | head 1000 | top 50 referer
source="access_30day.log" | head 1000 | top 50 uri
source="access_30day.log" | head 1000 | top 50 method
Example Program using homeworkdataset.csv.
host=homework state=8 level=*
host=homework state=8 level=critical
host=homework state=8 level=critical | top state by levelThis search returns the 20 most common values of the "referer" field. The results show the number of events (count) that have that a count of referer, and the percent that each referer is of the total number of events.
sourcetype=access_* | top limit=20 refererThis search returns the top "action" values for each "referer_domain".
sourcetype=access_* | top action by referer_domainThis search returns the top product purchased for each category. Do not show the percent field. Rename the count field to "total".
sourcetype=access_* status=200 action=purchase | top 1 productName by categoryId showperc=f countfield=totalUsing sample data filel Find the most common values of a given field- vendor_sales.log
index=sales sourcetype=vendor_sales| top Vendor
index=sales sourcetype=vendor_sales | top Vendor limit=20
index=sales sourcetype=vendor_sales | top Vendor limit=0
index=sales sourcetype=vendor_sales | top Vendor product_name limit=0
index=sales sourcetype=vendor_sales | top Vendor limit=5 showperc=False
index=sales sourcetype=vendor_sales | top Vendor limit=5 showperc=False countfield="Number of Sales"
index=sales sourcetype=vendor_sales | top product_name by Vendor limit=3 countfiled="Number of Sales" showperc=Flase
Use the top command to find the best-selling productIds for all time.
Sample Data - Download sample data for lab - ../../tutorial/splunk/labs/fundamental/Splunk_f1_Data.zip
index=main sourcetype=access_combined_wcookie status=200 file=success.do | top productId
Use the limit argument to only return the number of rows requested.
Sample Data - Download sample data for lab - ../../tutorial/splunk/labs/fundamental/Splunk_f1_Data.zip
index=main sourcetype=access_combined_wcookie status=200 file=success.do | top productId limit=5Use the showperc option of top to remove percent from the display
Sample Data - Download sample data for lab - ../../tutorial/splunk/labs/fundamental/Splunk_f1_Data.zip
index=main sourcetype=access_combined_wcookie status=200 file=success.do | top productId limit=5
showperc=false |