Splunk – Top Command

Many times, we are interested in finding the most common values available in a field. The top command in Splunk helps us achieve this. It further helps in finding the count and percentage of the frequency the values occur in the events.

Top Values for a Field

In its simplest form, we just get the count and the percentage of such count as compared to the total number of events. In the below example, we find 8 top most productid values.

Top Values for a Field by a Field

Next, we can also include another field as part of this top command’s by clause to display the result of field1 for each set of field2. In the below search, we find top 3 productids for each file name. Note how the file names are repeated 3 times showing different productid for that file.

Show Options

We can also decide to show specific columns by using additional options available in Splunk with the Top Command. In the below command, we disable to show the percentage option and display only the top product ID by File name.

Leave a Reply