Splunk Search Command of the Week: TOP

I get it, SPL is a very wide language. With so many commands, arguments, functions, you name it. It’s a lot to learn and definitely a lot to remember. But what if I told you there were a couple of commands, that can almost do it all for you.

Let’s take a look at this search…

index=main| stats count as count by user | sort – count | head 10

A relatively easy search, for sure. But what if I could make it easier for you? Allow me to introduce the TOP, or Rare, Splunk Search Commands. TOP allows you to easily find the most common values in fields. It will also help you find information behind your event values like count and percentage of the frequency.

TOP Syntax

Now, we can explore the syntax for TOP Search Command.

|top <options> field <by-clause>

Here are the options:

  • Limit = limit the number of results
  • Showperc = show the activity percent field of the value

Field = filed you want to find the top values of

By-clause = a field you want to filter by

TOP Results 

Now, let’s show the value in this search. Take the same search referenced above used with the new commands:

Index=main| top limit=10 user

And blam, same results, less… search.

Figure 1 - TOP Results

Figure 1 – TOP Search Command Results

Ask the Experts

Our Splunk Search Command of the Week series is created by our Expertise on Demand (EOD) experts. Every day, our team of Splunk certified professionals works with customers through Splunk troubleshooting support, including Splunk search command best practice. If you’re interested in learning more about our EOD service or chat with our team of experts, fill out the form below!

Author

Start typing and press Enter to search