bottom

Use the bottom command to display n number of results (where n is a number you specify) with the lowest aggregated value as determined by the specified field. This command must be preceded with a STATS or CLUSTER command. When you use this command, the results of the command passed before the pipe character are sorted in ascending order, based on the field and number specified when running the query.

Syntax

[stats|cluster] | bottom [limit=<limit>] <field_name>

Parameters

The following table lists the parameters used in this command, along with their descriptions.

Parameter Description

field_name

Specify the field by which you want the results to be sorted.

limit

Specify the number of entries you want to see. If no value is specified, then the default value of 10 is used. If you enter a value of -1, then all rows are returned.

The following command returns the 10 log sources with the lowest number of log entries.

* | stats count as cnt by Source 
    | bottom cnt

The following command returns 20 targets with the fewest fatal log entries.

Severity = fatal 
    | stats count as cnt by 'Entity Type', Entity 
    | bottom limit = 20 cnt

The following command returns 10 summaries with the fewest number of similar log records.

* | cluster 
    | bottom Count

The following command returns the 2 lowest number of log entries for each target type:

* | stats count as cnt by Target, 'Target Type' 
    | bottom limit = 2 cnt by 'Target Type'

The following command returns the 2 lowest bandwidth usage for each source IP:

* | link 'Client Host City', 'Source IP' 
    | stats sum('Content Size Out') as 'Bandwidth Usage' 
    | bottom limit = 2 'Bandwidth Usage' by 'Source IP'