top

This command is experimental

Definition

top searches the most common values for selected table column and counts the frequency of occurrence in that selected table column.

Syntax

| top [(limit=)<int>] [countfield=<string>] [percentfield=<string>] [showcount=<boolean>] [showperc=<boolean>] [useother=<boolean>] [otherstr=<string>] <column-name> [BY <column-name>, ...]

Optional arguments

Examples

When top is used, the query returns the table column used in the query, count column and percent column.

Currently, showcount and showperc have not yet been implemented to work with top.

Due to this:

  • count and percent columns aren’t visible in results

  • All available columns are returned

 
index=example earliest=-5y
| top _raw
example of the basic top command query

limit

Use limit argument to change how many results top returns. You can use the abbreviated version or the complete one.

%dpl
index=example earliest=-5y
| top 5 _raw
%dpl
index=example earliest=-5y
| top limit=5 _raw

Currently, limit returns varying results. See the issue on GitHub.

If the limit argument isn’t used, top returns 10 results by default.

countfield

Currently, countfield has not yet been implemented to work with top.

percentfield

Currently, percentfield has not yet been implemented to work with top.

showcount

Currently, showcount has not yet been implemented to work with top.

showperc

Currently, showperc has not yet been implemented to work with top.

useother and otherstr

Currently, useother and otherstr have not yet been implemented to work with top.

Split-by clause

Currently, the split-by clause has not yet been implemented to work with top.

Further Reading