rare

This search command creates a table of statistics and a corresponding chart to display the least frequent values of a field. The command also supports the optional group by parameter to display the least frequent values for each distinct tuple of values of the group by field.

This topic contains the following information:

For a list of all search commands, see Search-commands.

Related topics

Where to find more information

top

stats

Searching-the-data

Syntax

rare limit=<int> <field> [by <field>]

In the preceding syntax, the following definitions apply:

  • [expression] indicates it is optional.
  • <int> refers to an integer value that represents the maximum number of results to return.
  • by <field> refers to the group by parameter that can be optionally used to group the result set by the specified field.

Short examples

Example 1: Return the 10 least common values of the HOST field.

... | rare limit=10 HOST 

Example 2: Return the least common data pattern values for each host.

... | rare limit=5 DATA_PATTERN by HOST

Example 3: Return the least common request type.

... | rare limit=1 RequestType

Example 4: Return the least common request type per client IP.

... | rare limit=1 RequestType by ClientIp

Long examples

The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the rare command. 

Sample data

10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 404 100

10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 150

10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 200

10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png
HTTP/1.1" 200 100

Back to examples ↑

Sample indexed data

10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png
HTTP/1.1" 200 100

HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |RequestType=POST|RequestURL=/themes/ComBeta/images/bullet.png

10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 200

HOST=local.bmc.com |ResponseSize=200|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |RequestType=PUT|RequestURL=/themes/ComBeta/images/bullet.png

10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 201 150

HOST=local.bmc.com |ResponseSize=150|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png

10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png
HTTP/1.1" 404 100

HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png

Back to examples ↑

Find least frequent values for a field

In this example, you use the command to see a table of statistics (and a multiseries chart) displaying the least common request types.

Command

... | rare limit=1 RequestType

Output

RequestType

Count

POST

1

Back to examples ↑

Find least frequent values for a field grouped by another field

In this example, you use the command to see a table of statistics (and a multiseries chart) displaying the least common request types grouped by the ClientIp field.

Command

... | rare limit=1 RequestType by ClientIp

Output

ClientIp

RequestType

Count

10.1.1.140

GET

2

10.1.1.141

POST

1

Back to examples ↑

Note

If the number of occurrences of the field used for the by parameter is too large (for example, 500), then the count of values displayed is an approximate value.

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*