The top command returns the most frequent values of a specified field in your returned events. The rare command, returns the least common value of a specified field in your returned events. Both commands share the same syntax. If you don't specify a limit, the default number of values displayed in a top or rare is ten.

Example 1: Generate a report that sorts through firewall information to list the top 100 destination ports used by your system:

sourcetype=firewall | top limit=100 dst_port

Example 2: Generate a report that shows you the source ports with the lowest number of denials.

sourcetype=firewall action=Deny | rare src_port

Say you're indexing an alert log from a monitoring system, and you have two fields:

• msg is the message, such as CPU at 100%.
• mc_host is the host that generates the message, such as log01.

How do you get a report that displays the top msg and the values of mc_host that sent them, so you get a table like this:

To do this, set up a search that finds the top message per mc_host (using limit=1 to only return one) and then sort by the message count in descending order:

sourcetype=alert_log | top 1 msg by mc_host | sort count