rare

Find the least common values for a field. Automatically counts, sorts, and limits results.

Description

The rare command identifies the least frequently occurring values in a field. It automatically performs counting, sorting by frequency (ascending), and limiting to bottom N results.

This is useful for finding outliers, unusual activity, or infrequently used resources.

Syntax

... | rare [limit=<int>] <field> [by <field>] [showcount=<bool>] [showperc=<bool>]

Required Arguments

field
Field to find rare values for

Optional Arguments

limit
Syntax: limit=<int>
Description: Number of rare values to return
Default: 10

by
Syntax: by <field>
Description: Calculate rare values separately for each value of this field

showcount
Syntax: showcount=true|false
Description: Include count column
Default: true

showperc
Syntax: showperc=true|false
Description: Include percentage column
Default: true

Examples

10 least common users

* | rare user

5 rarest source IPs

* | rare limit=5 src_ip

Rare actions

* | rare action

Rare ports by source

* | rare dest_port by src_ip

Least accessed URLs

* | rare limit=20 url

Rare error codes

severity=error | rare error_code

Infrequent processes

* | rare process_name limit=15

Rare destinations

* | rare dest_ip

Unusual user agents

* | rare user_agent limit=25

Rarely targeted users

action=login | rare target_user

Usage Notes

Opposite of top: rare finds least common values, top finds most common.

Automatic sorting: Results sorted by frequency (lowest first).

Outlier detection: Useful for finding anomalies and unusual patterns.

vs. stats: More concise than stats count() by field | sort count | head N.

Related Commands

• top - Find most common values
• stats - Manual aggregation
• sort - Custom sorting