Learn more about the Cortex Query Language top
stage that returns the approximate count of top elements for a field and percentage of the count results.
Note
This stage is unsupported with Correlation Rules.
Syntax
top <integer> <field> [by <field1> ,<field2>...] [top_count as <column name>, top_percent as <column name>]
Description
The top
stage returns the approximate count of top elements for a given field and the percentage of the count results relative to the total number of values for the designated field. Use this top stage to produce approximate results, which are more scalable in terms of memory usage and time.
The <integer> in the syntax represents the number of top elements to return. If a number is not specified, up to 10 elements are returned by default. The approximate count is listed in the results table in a column called TOP_COUNT and the percentage in a column called TOP_PERCENT. You can update the column names for both tables by defining top_count as
<column name> , top_percent as <column name> in the syntax. If you only define one column name to update in the syntax, the results table displays that column without displaying the other column.
Examples
Returns a table with 3 columns called EVENT_ID, TOP_COUNT, and TOP_PERCENT with up to 10 unique values for event_id
with the corresponding counts and percentages.
dataset = xdr_data | top event_id
Returns a table with 3 columns called ACTION_COUNTRY, EVENT_ID, and TOTAL with a single unique value for the event_id
for each action_country
with the corresponding count in the TOTAL column.
dataset = xdr_data | top 1 event_id by action_country top_count as total