splunksplsplk-1001toprare

Splunk top and rare Commands: Find Your Most and Least Common Values

Learn how to use the Splunk top and rare commands to find the most and least frequent field values. Practical examples and SPLK-1001 exam tips included.

·Jacob Anderson, Splunk Certified Architect

The top and rare commands are two of the quickest ways to get useful information out of Splunk. They're also tested in the SPLK-1001 exam, so it's worth knowing exactly how they work and when to reach for them.

What top Does

top finds the most common values for a field and shows you how often each one appears. It's the SPL equivalent of "what's the most frequent value here?"

The basic syntax is:

index=web_logs | top clientip

This returns a table with three columns: the field value, the count, and the percentage. By default it returns the top 10 results.

You'll use top when you want to answer questions like "which IP addresses are generating the most traffic?" or "which error message is showing up most often?"

What rare Does

rare is the opposite of top. It finds the least common values. Same syntax, same output format.

index=web_logs | rare useragent

This returns the user agents that appear least frequently in your web logs. That's actually very useful from a security perspective since unusual user agents can indicate scanning tools or bots.

Controlling the Number of Results

Both commands default to returning 10 results. Use the limit argument to change this:

index=web_logs | top limit=20 clientip
index=auth_logs | rare limit=5 username

Set limit=0 to return all values (use carefully on high-cardinality fields).

Adding a BY Clause

Like most SPL aggregation commands, top and rare support BY to split results by another field:

index=web_logs | top clientip BY status_code

This returns the top 10 IP addresses for each status code separately. So you'd see the top 10 IPs generating 200s, the top 10 generating 404s, and so on.

This is useful for spotting patterns. If one IP is in the top 10 for 404s but doesn't appear in 200s, that's potentially someone scanning your site for missing resources.

Want to go deeper?

No Nonsense Introduction to Splunk

Skip the endless docs rabbit hole. This hands-on course takes you from zero to confident with Splunk searches, dashboards, and alerts. Taught by a Splunk Certified Architect with over 10 years of real-world experience.

View the course →

Hiding the Count and Percentage

Sometimes you just want the values, not the stats columns. You can suppress them with showcount=false and showperc=false:

index=web_logs | top clientip showcount=false showperc=false

This gives you a clean list of values ordered by frequency, which can be useful when piping the output into another command.

Using top vs stats count

You might wonder why you'd use top instead of stats count BY field | sort -count | head 10. The answer is mostly convenience: top does that in one command and includes the percentage calculation.

For quick exploratory searches, top is faster to type. For more complex searches where you need to apply additional filters or transformations after the count, stats gives you more flexibility.

Both approaches come up in the SPLK-1001 exam, so understand what each one does.

Practical Examples for the Exam

Here are a few searches that illustrate common use cases:

Top source IPs in firewall logs:

index=firewall | top src_ip limit=10

Rarest event types in the last 24 hours:

index=main earliest=-24h | rare limit=5 eventtype

Most common HTTP methods per host:

index=web_logs | top method BY host

Least frequent Windows event IDs (useful for spotting unusual activity):

index=windows sourcetype=WinEventLog | rare EventCode limit=10

What the SPLK-1001 Exam Focuses On

The exam typically tests you on:

  • The default number of results returned (10)
  • What the output columns are (value, count, percent)
  • The difference between top and rare
  • How to change the result limit with limit
  • How BY splits results by a second field

These questions aren't tricky if you've actually run these commands. The output format is distinctive enough that once you've seen it, you'll remember it.

When rare Is Surprisingly Useful

Most people focus on top because finding the most common things seems obviously useful. But rare is underrated. In security analysis, anomaly detection, and troubleshooting, the things that happen infrequently are often the most interesting.

A user account that only appears once in your auth logs might be a test account, a compromised account, or an account being used for a targeted attack. rare surfaces these outliers quickly.

Want to practise these commands on real data? The Introduction to Splunk course includes exercises in the Basic Search module where you'll use top, rare, and stats to analyse sample datasets.

Ready to level up?

No Nonsense Introduction to Splunk

Learn Splunk the practical way. No death-by-slides, no waffle. Just focused video demos with real data and a structured path from installation to dashboards and alerts. From just £9.99 with lifetime access.

Start the course for £9.99 →

Relevant lessons in the course