top
Use this command to display either the specified number of field values with
the most occurrences or the specified number of results with the highest aggregated value as
determined by the specified field. If the field must represent an aggregated value, this
command must be preceded by a stats or cluster command.
The results from the command to the left of the pipe character are sorted in descending
order, based on the field specified, and the requested number of results are
displayed.
Syntax
top [<top_options>] <field_name> [by <field_name> [, <field_name>]*]Parameters
The following table lists the parameters used with this command, along with their descriptions.
| Parameter | Description |
|---|---|
field_name |
Use this parameter to specify the field according to which the highest aggregated values are determined. |
top_options |
Syntax:
|
The following query returns the 10 most frequent log sources.
*| top 'log source'The following query returns the 10 log sources with the highest number of log entries.
* | stats count as cnt by 'Log Source'
| top cntThe following query returns the 5 host entities with the most fatal log entries.
'Entity Type' = Host and Severity = fatal
| stats count as cnt by Entity, 'Entity Type'
| top limit = 5 cntThe following query returns the 10 summaries with the highest number of similar log records.
* | cluster | top CountThe following query returns the 2 highest number of log entries for each target type:
* | stats count as cnt by Target, 'Target Type'
| top limit = 2 cnt by 'Target Type'The following query returns the 2 highest bandwidth usage for each source IP:
* | link 'Client Host City', 'Source IP'
| stats sum('Content Size Out') as 'Bandwidth Usage'
| top limit = 2 'Bandwidth Usage' by 'Source IP'