Contribute in GitHub:
Edit online
top-hitters operator
Returns the most popular distinct values, or the values with the largest sum, in the input.
Syntax
T | top-hitters NumberOfValues of ValueExpression
T | top-hitters NumberOfValues of ValueExpression by SummingExpression
Arguments
-
NumberOfValues: The number of distinct values of ValueExpression. Expressions of type
int,long, andrealare valid (rounded down). -
ValueExpression: An expression over the input table T whose distinct values are returned.
-
SummingExpression: If specified, a numeric expression over the input table T whose sum per distinct value of ValueExpression establishes which values to emit. If not specified, the count of each distinct value of ValueExpression will be used instead.
Remarks
The first syntax (no SummingExpression) is conceptually equivalent to:
T
| summarize C``=``count() by ValueExpression
| top NumberOfValues by C desc
The second syntax (with SummingExpression) is conceptually equivalent to:
T
| summarize S``=``sum(*SummingExpression*) by ValueExpression
| top NumberOfValues by S desc
Examples
Get most frequent items with a criteria
The next example shows how to find top-5 source ip addresses with most destination ip addresses
events
| project src_ip, dst_ip, original_time
| where original_time > ago(24h)
| where isnotempty(src_ip) and src_ip != '127.0.0.1'
| summarize EventCount=count() by src_ip, dst_ip
| top-hitters 5 of src_ip, dst_ip by EventCount
Results
| src_ip | dst_ip | approximate_count_EventCount |
|---|---|---|
| 10.10.10.10 | 10.20.20.20 | 1539954127 |
| 192.168.55.132 | 192.168.45.67 | 339827659 |
| 10.18.34.10 | 10.18.34.10 | 262197491 |
| 172.16.0.0 | 172.16.0.0 | 227003107 |
| 10.2.3.10 | 10.10.20.30 | 207943448 |