rare

Lists the search results in a tabular form of the least common values for the specified field. That is, the values are listed from the lowest count value to the highest.

When multiple fields are specified, the count of unique sets of all those fields is listed from the lowest to highest count.

Synopsis

...| rare <field1> <field2> <field3> ...

Sorts the matching results from least to most common for the specified fields.

Usage Notes

Typically, the <field> list contains event fields available in the Logger schema or user-defined fields created using the rex or eval operators prior in the query, as shown in the examples below. However, fields might also be defined by other operators such as the eval operator.

A chart of the search results is automatically generated when this operator is included in a query. You can click on a charted value to quickly filter down to events with specific field values. For more information, see Chart Drill Down.

If multiple fields are specified, separate the field names with a white space or a comma.