Use this command to display a specified number of results with the highest aggregated value as determined by the specified field. Since the field must represent an aggregated value, this command must be preceded by a
cluster command. The results from the command to the left of the pipe character are sorted in descending order, based on the field specified, and the requested number of results are displayed.
top [limit=<limit>] <field_name>
The following table lists the parameters used with this command, along with their descriptions.
||Use this parameter to specify the field according to which the highest aggregated values are determined.|
||Use this parameter to specify the limit. If no value is specified, then the default value of 1
The following query returns the 10 log sources with the highest number of log entries.
* | stats count as cnt by 'Log Source' | top cnt
The following query returns the 5 host entities with the most fatal log entries.
'Entity Type' = Host and Severity = fatal | stats count as cnt by Entity, 'Entity Type' | top limit = 5 cnt
The following query returns the 10 summaries with the highest number of similar log records.
* | cluster | top Count