top() Query Function

Find the most common values of a field. It is also possible to find the occurrences of a field using the value of another field.

This function is implemented using a streaming approximation algorithm when the data set becomes huge. It is implemented using datasketches. By default a warning is issued if the result’s precision is worse than 5 percent. This can be specified using the error parameter The implementation uses a maxMapSize with value 32768 for historical queries and 8192 for live queries. Details about the precision is found here. Only results falling within the threshold is returned.

Parameters

Name

Type

Required

Default

Description

field

[string]

Yes

Which fields to group by count. If none of the fields are present, the event is not counted. The top function works like groupby([*fields*], function=count()) | sort(_count).

sum

string

No

Change semantics from counting to summing the value of a sum field. If specified, the top works like groupby([*fields*], function=sum(*sum*)) | sort(_sum).

max

string

No

Change semantics from counting to finding the max value of a max field. If specified, the top works like groupby([*fields*], function=max(*max*)) | sort(_max)

limit

number

No

10

The number of results to return. Limited to 20,000 by default, configurable for the system using MAX_STATE_LIMIT.

as

string

No

The name of the count field created by top. Defaults to _count, but changed to _sum if the sum parameter is used.

rest

string

No

A row is returned holding the count of all the other values not in top.

percent

boolean

No

false

If set to true, add a column named percent containing the count in percentage of the total.

error

number

No

5

Show a warning if the result is not precise enough. This parameter specifies the error threshold in percent. Default is 5 percent.

The implied parameter is field.

Examples

Find top ten users in the logs and show their count

humio
top(user)

Find top 20 ip addresses requesting most bytes from webserver

humio
top(field=client, sum=bytes_sent, limit=20, as=bytes)