Rare: Splunk Commands Tutorials & Reference
Commands Category: Filtering
Commands: rare
Use: Displays the least common values of a field. Finds the least frequent tuple of values of all fields in the field list. If the is specified, this command returns rare tuples of values for each distinct tuple of values of the group-by fields.
- countfield-The name of a new field to write the value of count into.
- limit-Specifies how many tuples to return. If you specify limit=0, all values up to maxresultrows are returned. See Limits section. Specifying a value larger than maxresultrows produces an error.
- percentfield-Name of a new field to write the value of percentage.
- showcount-Specify whether to create a field called "count" (see "countfield" option) with the count of that tuple.
- showperc-Specify whether to create a field called "percent" (see "percentfield" option) with the relative prevalence of that tuple.
Use: Displays the least common values of a field. Finds the least frequent tuple of values of all fields in the field list. If the is specified, this command returns rare tuples of values for each distinct tuple of values of the group-by fields.
- countfield-The name of a new field to write the value of count into.
- limit-Specifies how many tuples to return. If you specify limit=0, all values up to maxresultrows are returned. See Limits section. Specifying a value larger than maxresultrows produces an error.
- percentfield-Name of a new field to write the value of percentage.
- showcount-Specify whether to create a field called "count" (see "countfield" option) with the count of that tuple.
- showperc-Specify whether to create a field called "percent" (see "percentfield" option) with the relative prevalence of that tuple.
Example Program using homeworkdataset.csv.
host=homework state=8 level=*
host=homework state=8 level=critical
host=homework state=8 level=critical | rare state by levelReturn the least common values in the "url" field. Limits the number of values returned to 5.
... | rare url limit=5Find the least common values in the "user" field for each "host" value. By default, a maximum of 10 results are returned.
... | rare user by hostShows the least common Values of a field set.
index=sales sourcetype=vendor_sales | rare Vendor limit=5 showperc=False
index=sales sourcetype=vendor_sales | rare product_name by Vendor limit=5 countfiled="Number of Sales" showperc=FlaseUse the rare command to find the files that show up the least amount of times in our events.
Sample Data - Download sample data for lab - ../../tutorial/splunk/labs/fundamental/Splunk_f1_Data.zip
index=main sourcetype=access_combined_wcookie status=200 | rare file
index=main sourcetype=access_combined_wcookie status=200 | rare file by date_month |