Remember we talked about the TOP command? Well turns out there is a command that works exactly the same way but you get results for the fewest occurrences in your data.
It is called RARE. Where TOP provides you with the most common values in your data, rare shows you the values that occur the fewest.
More About Rare
Something we can accomplish with the search below:
index=main| stats count as count by user | sort count | head 10
Again, an easy search, but we can make it easier…
Index=main| rare limit=10 user
Wango Bango! Same results, less…search.
How to Use Rare
Let’s explore the syntax:
|rare <options> field <by-clause>
Options –
- Limit = limit the number of results
- Showperc = show the activity percent field of the value
Field = filed you want to find the top values of
By-clause = a field you want to filter by
And there you have it. Rare command is an easier search… but is important to utilize.
Ask the Experts
Our Splunk Search Command Series is created by our Expertise on Demand (EOD) experts. Every day, our team of Splunk certified professionals works with customers through Splunk troubleshooting support, including Splunk search command best practice. If you’re interested in learning more about our EOD service or chat with our team of experts, fill out the form below!
No comment yet, add your voice below!