I get it, SPL is a very wide language. It has many commands, arguments, and functions that are difficult to remember when you need them most. But what if I told you there were a couple of commands that could do the heavy lifting for you?
They’re called TOP Commands, and in this post, I’ll break down what each one is and how to use them. But first, what exactly is a TOP command?
What is a TOP command?
TOP is a Splunk command that allows you to easily find the most common values in fields. It will also help you find information behind your event values like count and percentage of the frequency.
How to Use a TOP Command
There are two ways to use the TOP Command: Using the search bar or using interesting fields.
Splunk Pro Tip: There’s a super simple way to run searches simply—even with limited knowledge of SPL— using Search Library in the Atlas app on Splunkbase. You’ll get access to thousands of pre-configured Splunk searches developed by Splunk Experts across the globe. Simply find a search string that matches what you’re looking for, copy it, and use right in your own Splunk environment. Try speeding up your top and rare command searches right now using these SPL templates, completely free.
Run a pre-Configured Search for Free
TOP Command Using the Search Bar
Let’s use this SPL search query as an example:
index=main| stats count as count by user | sort – count | head 10
Step 1: Set the time parameters of your search.
Splunk Pro Tip: We do not recommend using “all time” as this is not a best practice when creating queries in Splunk. Instead, narrow down your search to the most relevant time frame. We use “all time” here for example purposes as this is test data.
Step 2: Type the TOP command you want to use.
For this example, we’re using |top categoriesId to see the top categories within our environment. By default, the TOP command will return the top 10 results in the query.
Step 3: Refine your search.
You can refine the results of your query with two other commands: limit and shoperc.
Limit Command
|top categoriesId limit=5
The limit command will limit your top results to the first five.
Percentage Command
|top categoriesId limit=5 shoperc=f
The shoperc command is set to true by default which means that the limit command will always show what percentage each field represents in your Splunk environment. If you don’t need this information and want to clean up your query, you can remove it by adding the shoperc=f or shoperc=false command.
To add the percentage column back in, simply change the command to |top categoriesId limit=5 shoperc=t or shoperc=true.
TOP Command Using Interesting Fields
Step 1: Select an interesting field from the column on the left.
We chose categoriyId for this example.
Step 2: Select “Top values.”
Step 3: Review your Top command in the search bar.
In the search bar, you’ll see the TOP command has been created for you — this time with a pre-populated limit of 20.
Doing the TOP command this way also shows you a visualization of the data, but you can switch back to the table view by selecting “Statistics.”
What is a Rare Command?
Rare is a Splunk command that allows you to easily find the least common values in fields. Just like the TOP command, the rare command will also help you find information behind your event values like count and percentage of the frequency.
How to Use a Rare Command
There are two ways to use the rare Command: Using the search bar or using interesting fields.
Rare Command Using the Search Bar
Let’s use this SPL search query as an example:
index=main| stats count as count by user | sort – count | head 10
Step 1: Set the time parameters of your search.
Step 2: Type the rare command you want to use.
Rare commands follow this syntax:
|rare <options> field <by-clause>
For this example, we’re using |rare categoriesId to see the top categories within our environment. By default, the rare command will return the least common results in ascending order.
Step 3: Refine your search.
You can refine the results of your query with two other commands: limit and shoperc.
Limit Command
|rare categoriesId limit=3
The limit command will limit your top results to the first three.
Percentage Command
|rare categoriesId limit=3 shoperc=f
The shoperc command is set to true by default which means that the limit command will always show what percentage each field represents in your Splunk environment. If you don’t need this information and want to clean up your query, you can remove it by adding the shoperc=f or shoperc=false command.
To add the percentage column back in, simply change the command to |rare categoriesId limit=3 shoperc=t or shoperc=true.
Rare Command Using Interesting Fields
Step 1: Select an interesting field from the column on the left.
We chose categoriyId for this example.
Step 2: Select “Rare values.”
Step 3: Review your rare command in the search bar.
In the search bar, you’ll see the rare command has been created for you — this time with a pre-populated limit of 20.
Doing the rare command this way also shows you a visualization of the data, but you can switch back to the table view by selecting “Statistics.”
TOP Command and Rare Command Syntax
Top commands use this syntax:
|top <options> field <by-clause>
And rare commands use this syntax:
|rare <options> field <by-clause>
In both commands, the <options> and <by-clause> are optional and can be used with the limit and shoperc commands. Here’s an example of how you could use this syntax:
|top <categoryId> by <action>
This command is telling Splunk to find the top results in the cateogiryId field and sort them by the most common action that the user took.
If you found this helpful…
You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.
Cue Atlas Assessment 30-day free trial: a customized report to show you where your Splunk environment is excelling and opportunities for improvement. You’ll get your report in just 30 minutes.
