bottom
Use the bottom command to display n number of
results (where n is a number you specify) with the lowest aggregated value as
determined by the specified field. This command must be preceded with a
STATS or CLUSTER command. When you use this command,
the results of the command passed before the pipe character are sorted in ascending order,
based on the field and number specified when running the query.
Syntax
[stats|cluster] | bottom [limit=<limit>] <field_name>Parameters
The following table lists the parameters used in this command, along with their descriptions.
| Parameter | Description |
|---|---|
|
|
Specify the field by which you want the results to be sorted. |
|
|
Specify the number of entries you want to see. If no value is specified, then the default value of |
The following command returns the 10 log sources with the lowest number of log entries.
* | stats count as cnt by Source
| bottom cntThe following command returns 20 targets with the fewest fatal log entries.
Severity = fatal
| stats count as cnt by 'Entity Type', Entity
| bottom limit = 20 cntThe following command returns 10 summaries with the fewest number of similar log records.
* | cluster
| bottom CountThe following command returns the 2 lowest number of log entries for each target type:
* | stats count as cnt by Target, 'Target Type'
| bottom limit = 2 cnt by 'Target Type'The following command returns the 2 lowest bandwidth usage for each source IP:
* | link 'Client Host City', 'Source IP'
| stats sum('Content Size Out') as 'Bandwidth Usage'
| bottom limit = 2 'Bandwidth Usage' by 'Source IP'