top

Lists the search results in a tabular form of the most common values for the specified field. That is, the values are listed from the highest count value to the lowest.

Synopsis

...| top [<N>] <field1> <field2> <field3> ...

<N> limits the matches to the top n values for the specified fields. Default: 500, if <N> is not specified.

Usage Notes

The fields can be either event fields available in the Logger schema or user-defined fields created using the rex or eval operators prior in the query. If multiple fields are specified, separate the field names with a white space or a comma.

When multiple fields are specified, the count of unique sets of all those fields is listed from the highest to lowest count.

A chart of the search results is automatically generated when this operator is included in a query. You can click on a charted value to quickly filter down to events with specific field values. For more information, see Chart Drill Down.

To limit the matches to the top n values for the specified fields, specify a value for n.

The value you specify overrides the default value of 500. For example, the following query:

...| top 1000 deviceEventCategory

charts the events with the 1000 most common values in the deviceEventCategory field.