top
Shows the most common values. The dual to rare.
top x:fieldDescription
Section titled “Description”Shows the most common values for a given field. For each value, a new event
containing its count will be produced. In general, top x is equivalent to:
summarize x, count=count()sort -countx: field
Section titled “x: field”The field to find the most common values for.
Examples
Section titled “Examples”Find the most common values
Section titled “Find the most common values”from {x: "B"}, {x: "A"}, {x: "A"}, {x: "B"}, {x: "A"}, {x: "D"}, {x: "C"}, {x: "C"}top x{x: "A", count: 3}{x: "B", count: 2}{x: "C", count: 2}{x: "D", count: 1}Show the 5 top-most values
Section titled “Show the 5 top-most values”top id.orig_hhead 5