This search command creates a table of statistics and a corresponding chart to display the least frequent values of a field. The command also supports the optional group by parameter to display the least frequent values for each distinct tuple of values of the group by field.
The values displayed in the table of statistics and the bars displayed in the chart are clickable. When you click a value in the table, the tabular view is toggled to the search results view, and events associated with those values are displayed.
This topic contains the following information:
For a list of all search commands, see Search commands.
Syntax
rare limit=<int> <field> [by <field>]
In the preceding syntax, the following definitions apply:
- [expression] indicates it is optional.
<int>refers to an integer value that represents the maximum number of results to return.by <field>refers to the groupbyparameter that can be optionally used to group the result set by the specified field.
Short examples
Example 1: Return the 10 least common values of the HOST field.
... | rare limit=10 HOST Example 2: Return the least common data pattern values for each host.
... | rare limit=5 DATA_PATTERN by HOST
Example 3: Return the least common request type.
... | rare limit=1 RequestType
Example 4: Return the least common request type per client IP.
... | rare limit=1 RequestType by ClientIp
Long examples
The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the rare command.
Sample data
10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png |
10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png |
10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png |
10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png |
Sample indexed data
10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |RequestType=POST|RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png HOST=local.bmc.com |ResponseSize=200|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |RequestType=PUT|RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png HOST=local.bmc.com |ResponseSize=150|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png |
Find least frequent values for a field
In this example, you use the command to see a table of statistics (and a multiseries chart) displaying the least common request types.
Command
... | rare limit=1 RequestType
Output
| RequestType | Count |
|---|---|
| POST | 1 |
Find least frequent values for a field grouped by another field
In this example, you use the command to see a table of statistics (and a multiseries chart) displaying the least common request types grouped by the ClientIp field.
Command
... | rare limit=1 RequestType by ClientIp
Output
| ClientIp | RequestType | Count |
|---|---|---|
| 10.1.1.140 | GET | 2 |
| 10.1.1.141 | POST | 1 |
Note
If the number of occurrences of the field used for the by parameter is too large (for example, 500), then the count of values displayed is an approximate value.
Related topics
Overview
Content Tools
Apps
Reporter Replacement
com.bmc.atlassian.bmc-util-plugin-2.section.label
Tasks