top

Version: v4.22
top
Shows the most common values. The dual to rare.
top x:field
Description
Shows the most common values for a given field. For each value, a new event containing its count will be produced. In general, top x is equivalent to:
summarize x, count=count() sort -count
Potentially High Memory Usage
Take care when using this operator with large inputs.
x: field
The field to find the most common values for.
Examples
Find the most common values for x.
from [ {x: "B"}, {x: "A"}, {x: "A"}, {x: "B"}, {x: "A"}, {x: "D"}, {x: "C"}, {x: "C"}, ] top x ―――――――――――――――――― {x: "A", count: 3} {x: "B", count: 2} {x: "C", count: 2} {x: "D", count: 1}
Show the five most common values for id.orig_h:
top id.orig_h head 5
Edit this page

Description​

x: field​

Examples​

Description

`x: field`

Examples