The top operator in Axiom Processing Language (APL) allows you to retrieve the top N rows from a dataset based on specified criteria. It’s particularly useful when you need to analyze the highest values in large datasets or want to quickly identify trends, such as the highest request durations in logs or top error occurrences in traces. You can apply it in scenarios like log analysis, security investigations, or tracing system performance.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

The top operator in APL is similar to top in Splunk SPL but allows greater flexibility in specifying multiple sorting criteria.

```sql Splunk example index="sample_http_logs" | top limit=5 req_duration_ms ``` 
['sample-http-logs']
| top 5 by req_duration_ms

In ANSI SQL, the TOP operator is used with an ORDER BY clause to limit the number of rows. In APL, the syntax is similar but uses top in a pipeline and specifies the ordering criteria directly.

```sql SQL example SELECT TOP 5 req_duration_ms FROM sample_http_logs ORDER BY req_duration_ms DESC ``` 
['sample-http-logs']
| top 5 by req_duration_ms

Usage

Syntax

| top N by Expression [asc | desc]

Parameters

  • N: The number of rows to return.
  • Expression: A scalar expression used for sorting. The type of the values must be numeric, date, time, or string.
  • [asc | desc]: Optional. Use to sort in ascending or descending order. The default is descending.

Returns

The top operator returns the top N rows from the dataset based on the specified sorting criteria.

Use case examples

The top operator helps you find the HTTP requests with the longest durations.

Query

['sample-http-logs']
| top 5 by req_duration_ms

Run in Playground

Output

_time req_duration_ms id status uri method geo.city geo.country
2024-10-01 10:12:34 5000 123 200 /api/get-data GET New York US
2024-10-01 11:14:20 4900 124 200 /api/post-data POST Chicago US
2024-10-01 12:15:45 4800 125 200 /api/update-item PUT London UK

This query returns the top 5 HTTP requests that took the longest time to process.

The top operator is useful for identifying the spans with the longest duration in distributed tracing systems.

Query

['otel-demo-traces']
| top 5 by duration

Run in Playground

Output

_time duration span_id trace_id service.name kind status_code
2024-10-01 10:12:34 300ms span123 trace456 frontend server 200
2024-10-01 10:13:20 290ms span124 trace457 cartservice client 200
2024-10-01 10:15:45 280ms span125 trace458 checkoutservice server 500

This query returns the top 5 spans with the longest durations from the OpenTelemetry traces.

The top operator is useful for identifying the most frequent HTTP status codes in security logs.

Query

['sample-http-logs']
| summarize count() by status
| top 3 by count_

Run in Playground

Output

status count_
200 500
404 50
500 20

This query shows the top 3 most common HTTP status codes in security logs.
  • order: Use when you need full control over row ordering without limiting the number of results.
  • summarize: Useful when aggregating data over fields and obtaining summarized results.
  • take: Returns the first N rows without sorting. Use when ordering isn’t necessary.

Good evening

I'm here to help you with the docs.

I
AIBased on your context