Use this query function to find the most common values of a field in a set of events — the top of an ordered list of results. It's also possible to find the occurrences of a field using the value of another field.
The top()
query function is a more succinct
and powerful way to execute the groupBy()
query in conjunction with count()
and
sort()
:
groupBy([*fields*], function=count())
| sort(_count)
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
as | string | optional[a] | _count or _sum | The optional name of the output field. |
error | number | optional[a] | 5 | The error threshold in percentage for displaying a warning message when not precise enough. |
field [b] | array of strings | required | The fields on which to group and count. An event is not counted if fields are not present. | |
limit | number | optional[a] | 10 | Sets the number of results to find. |
Minimum | 1 | |||
max | string | optional[a] | This changes the function used from count() to find the max value of a max field (for example, groupBy([*fields*], function=max(*max*)) | sort(_max) ). | |
percent | boolean | optional[a] | false | Will add a column named percent containing the count in percentage of total. |
rest | string | optional[a] | Will add an extra row containing the count of all the other values not included. | |
sum | string | optional[a] | This changes the function used from count() to sum() (for example, like groupBy([*fields*], function=sum(*sum*)) | sort(_sum) ). | |
[a] Optional parameters use their default value unless explicitly set. |
LogScale's top()
function uses an
approximative algorithm from
DataSketches
to compute the most frequent items. This algorithm is guaranteed
to be exact for up to 0.75*
maxMapSize
items, where
maxMapSize
is
32768
items in historical
queries and 8192
items in live
queries.
The algorithm provides an upper bound for the error. By default,
a warning is issued if the guaranteed precision is less than
five percent; such error threshold can be modified using the
error
parameter. See
Frequent
Items, Error Threshold Table for more information.
top()
only returns events that are
guaranteed to be in the top k events — that is to say,
that are not false positives.
When the top()
function is executed, if
there are more fields other than those grouped and counted, the
rest
parameter will
return an extra row containing a count of all the remaining
values — those values that were not included in the top
results. To enable it, set the parameter to whatever you want
the row to be labeled.
top()
Examples
Click
next to an example below to get the full details.