Get Started

Splunk top and rare Commands: Quick Frequency Analysis for Triage

Splunk SPL Commands
R
Rhombic LLC
Splunk Consulting & Cyber Security · 2 min read

What Are the top and rare Commands?

The top command returns the most frequently occurring values of a field. The rare command returns the least frequent values. Both automatically compute count and percentage — making them indispensable for rapid triage during security investigations.

Core Syntax

| top [limit=<N>] <field> [BY <field-list>]
| rare [limit=<N>] <field> [BY <field-list>]

Security Operations Examples

1. Most Targeted Accounts

index=security sourcetype=WinEventLog:Security EventCode=4625
| top limit=20 Account_Name

2. Rare Processes — Threat Hunting

Rare process names across your fleet can indicate malware, living-off-the-land attacks, or unauthorized software.

index=endpoint sourcetype=sysmon EventCode=1
| rare limit=20 process_name BY ComputerName

3. Top Firewall Denied Destinations

index=network sourcetype=firewall action=denied
| top limit=10 dest_ip BY src_zone

4. Rare DNS Queries — C2 Detection

index=dns sourcetype=named
| rare limit=50 query_name
| where count < 3

Controlling Output

Suppressing Count and Percent

| top limit=10 src_ip showcount=false showperc=false

Multi-Field top

| top limit=10 src_ip dest_ip dest_port

When you specify multiple fields, top returns the most common combinations.

When to Use top/rare vs. stats

Scenario Use
Quick "what's most common?" top
Quick "what's unusual?" rare
Custom aggregation or multiple functions stats
Need more than just count/percent stats

Best Practices

  • Use rare for threat hunting — Anomalies hide in the long tail. Rare process names, rare user-agents, rare DNS queries are gold for detection.
  • Set limit explicitly — The default is 10. Increase it when hunting across large environments.
  • Combine with BY for segmented analysistop src_ip BY dest_zone reveals which sources hit each zone most.
  • Follow up rare findings with investigationrare identifies candidates; use search or stats to dig deeper.

Next in the series: The eval command — field creation, conditional logic, and data transformation.

Next in the Rhombic SPL Series → Splunk eval Command

Tagged , , , , ,