Skip to main content
Sumo Logic

topk

The topk operator allows you to select the top values from fields and group them by fields. The topk operator can replace the top operator and adds the ability to choose the top of top.

Syntax

  • topk(<#>, <top_fields>) [by <group_by_fields>]

# is an integer equal to or greater than 1.

Response Field
  • _rank - the order number of the result.

Examples

Look at the top five source hosts generating the most errors and the number of errors for given timeslices

error
| timeslice 1m
| count by _timeslice, _sourceHost
| topk(5, _count)

topk

Look at the top 2 results for a given category

error
| timeslice 1m
| count by _timeslice, _sourceHost
| topk(2,_count) by _sourceHost

Let's figure out what is the maximum error count for each sourceHost for the given time range slightly changing our query. We’ll add a by clause to the given operator and provide sourceHost as an argument. This tells the system that we want to look for the top “x” counts for each source Host.

topk count by source host

Find the top two source host, source category pairs.

error
| timeslice 1m
| count by _timeslice, _sourceHost, _sourceCategory
| topk(2,_count) by _sourceHost, _sourceCategory

We can specify more than one argument to group by. In the query above, we are looking for the top 2 results for each source host, source Category pairs.

topksource