top( ) Query Function

Find the most common values of a field. It is also possible to find the occurrences of a field using the value of another field.

This function is implemented using a streaming approximation algorithm when the data set becomes huge. It is implemented using datasketches. By default a warning is issued if the result’s precision is worse than 5 percent. This can be specified using the error parameter The implementation uses a maxMapSize with value 32768 for historical queries and 8192 for live queries. Details about the precision is found here. Only results falling within the threshold is returned.

Parameters

Name Type Required Default Description
field [string] Yes Which fields to group by count. If none of the fields are present, the event is not counted. The top function works like groupby([fields], function=count())
sum string No Change semantics from counting to summing the value of a sum field. If specified, the top works like groupby([fields], function=sum(sum))
max string No Change semantics from counting to finding the max value of a max field. If specified, the top works like groupby([fields], function=max(max))
limit number No 10 The number of results to return. Limited to 20,000 by default, configurable for the system using MAX_STATE_LIMIT
as string No The name of the count field created by top. Defaults to _count, but changed to _sum if the sum parameter is used.
rest string No A row is returned holding the count of all the other values not in top
percent bool No false If set to true, add a column named percent containing the count in percentage of the total
error number No 5 Show a warning if the result is not precise enough. This parameter specifies the error treshold in percent. Default is 5 percent

field is the unnamed parameter.

Examples

Find top ten users in the logs and show their count

top(user)

Find top 20 ip addresses requesting most bytes from webserver

top(field=client, sum=bytes_sent, limit=20, as=bytes)