Top Command
Use this command to display a specified number of results with the highest aggregated value as determined by the specified field. Since the field must represent an aggregated value, this command must be preceded by a stats or cluster command. The results from the command to the left of the pipe character are sorted in descending order, based on the field specified, and the requested number of results are displayed.
Syntax
top [limit=<limit>] <field_name>Parameters
The following table lists the parameters used with this command, along with their descriptions.
| Parameter | Description |
|---|---|
field_name |
Use this parameter to specify the field according to which the highest aggregated values are determined. |
limit |
Use this parameter to specify the limit. If no value is specified, then the default value of 10 is used. Entering a value of –1 will return all rows.
|
The following query returns the 10 log sources with the highest number of log entries.
* | stats count as cnt by 'Log Source' | top cntThe following query returns the 5 host entities with the most fatal log entries.
'Entity Type' = Host and Severity = fatal | stats count as cnt by Entity, 'Entity Type' | top limit = 5 cntThe following query returns the 10 summaries with the highest number of similar log records.
* | cluster | top Count