top

Use this command to display either the specified number of field values with the most occurrences or the specified number of results with the highest aggregated value as determined by the specified field. If the field must represent an aggregated value, this command must be preceded by a stats or cluster command. The results from the command to the left of the pipe character are sorted in descending order, based on the field specified, and the requested number of results are displayed.

Syntax

top [<top_options>] <field_name> [by <field_name> [, <field_name>]*]

Parameters

The following table lists the parameters used with this command, along with their descriptions.

Parameter Description
field_name Use this parameter to specify the field according to which the highest aggregated values are determined.
top_options

Syntax: [limit=<limit>]

limit: Use this parameter to specify the number of results to return. If no value is specified, then the default value of 10 is used. Entering a value of –1 returns all rows.

The following query returns the 10 most frequent log sources.

*| top 'log source'

The following query returns the 10 log sources with the highest number of log entries.

* | stats count as cnt by 'Log Source' 
    | top cnt

The following query returns the 5 host entities with the most fatal log entries.

'Entity Type' = Host and Severity = fatal 
    | stats count as cnt by Entity, 'Entity Type' 
    | top limit = 5 cnt

The following query returns the 10 summaries with the highest number of similar log records.

* | cluster | top Count

The following query returns the 2 highest number of log entries for each target type:

* | stats count as cnt by Target, 'Target Type' 
    | top limit = 2 cnt by 'Target Type'

The following query returns the 2 highest bandwidth usage for each source IP:

* | link 'Client Host City', 'Source IP' 
    | stats sum('Content Size Out') as 'Bandwidth Usage' 
    | top limit = 2 'Bandwidth Usage' by 'Source IP'