top

Find the most common values for a field. Automatically counts, sorts, and limits results.

Description

The top command identifies the most frequently occurring values in a field. It automatically performs counting, sorting by frequency (descending), and limiting to top N results.

This is a shortcut for stats count() by field | sort -count | head N.

Syntax

... | top [limit=<int>] <field> [by <field>] [showcount=<bool>] [showperc=<bool>]

Required Arguments

field
Field to find top values for

Optional Arguments

limit
Syntax: limit=<int>
Description: Number of top values to return
Default: 10

by
Syntax: by <field>
Description: Calculate top values separately for each value of this field

showcount
Syntax: showcount=true|false
Description: Include count column
Default: true

showperc
Syntax: showperc=true|false
Description: Include percentage column
Default: true

Examples

Top 10 users

* | top user

Top 5 source IPs

* | top limit=5 src_ip

Top actions without percentages

* | top action showperc=false

Top ports by source IP

* | top dest_port by src_ip

Top 20 URLs

* | top limit=20 url

Most common error codes

severity=error | top error_code

Top processes

* | top limit=15 process_name

Top destinations

* | top dest_ip showcount=true showperc=false

Top user agents

* | top user_agent limit=25

Most targeted users

action=login status=failure | top target_user

Usage Notes

Automatic sorting: Results are automatically sorted by frequency (highest first).

Automatic limiting: Default limit is 10. Increase for more results.

Count and percent: By default, shows both count and percentage columns.

vs. stats: top is more concise than stats count() by field | sort -count | head N.

rare - Find least common values
stats - Manual aggregation with more control
sort - Custom sorting

top

On this page