Q: 3
Select this in the fields sidebar to automatically pipe you search results to the rare command
Options
Discussion
B. not D. 'Top values' just runs the top command, rare values is the only one piping to rare here.
B. since 'rare values' pipes the search directly to the rare command in Splunk. Top values would use the top command so not the same thing. Pretty sure that's right but let me know if anyone's seen something different.
B. It's 'rare values' in the sidebar that'll trigger the rare command, pretty sure about that. D does top, not rare. Disagree?
B tbh. If you pick 'rare values' in the fields sidebar, it pipes straight to the rare command and shows the least common entries for that field. D would be for top values instead, so it's not that. Pretty sure about this but feel free to correct me if I'm missing something.
B, not D
It’s B. Only 'rare values' in the sidebar actually pipes to the rare command, D is just for top (most common) so easy to mix up. Unless Splunk changed something recently, B is correct here.
Nah, not D. Pretty sure it's B since 'rare values' in the fields sidebar actually runs the rare command automatically. D is a common trap because 'top values' uses the top command, not rare. Anyone have a different take?
Maybe D, I've seen similar options in the Splunk practice labs and 'top values' comes up a lot. Would double check in the official user guide or hands-on search panel though.
I don’t think D is correct-B is what pipes to the rare command. The sidebar option labeled 'rare values' is the one that triggers it in Splunk, top values does something else. Pretty certain but open if someone saw different behavior.
I don't think D is right here. From what I've seen in the UI, only 'rare values' (B) pipes your results to the rare command automatically. D ('top values') runs top, which is about most common, not least. Easy to mix them up since their options sit close together in Splunk, but rare is specific for this use case. Let me know if you see it differently.
Be respectful. No spam.
