This page explains how to use the top operator function in APL.
The top operator in Axiom Processing Language (APL) allows you to retrieve the top N rows from a dataset based on specified criteria. It is particularly useful when you need to analyze the highest values in large datasets or want to quickly identify trends, such as the highest request durations in logs or top error occurrences in traces. You can apply it in scenarios like log analysis, security investigations, or tracing system performance.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
Splunk SPL users
Splunk SPL users
The top operator in APL is similar to top in Splunk SPL but allows greater flexibility in specifying multiple sorting criteria.
ANSI SQL users
ANSI SQL users
In ANSI SQL, the TOP operator is used with an ORDER BY clause to limit the number of rows. In APL, the syntax is similar but uses top in a pipeline and specifies the ordering criteria directly.
Usage
Syntax
Parameters
N: The number of rows to return.Expression: A scalar expression used for sorting. The type of the values must be numeric, date, time, or string.[asc | desc]: Optional. Use to sort in ascending or descending order. The default is descending.
Returns
The top operator returns the top N rows from the dataset based on the specified sorting criteria.
Use case examples
The top operator helps you find the HTTP requests with the longest durations.
Query
Output
| _time | req_duration_ms | id | status | uri | method | geo.city | geo.country |
|---|---|---|---|---|---|---|---|
| 2024-10-01 10:12:34 | 5000 | 123 | 200 | /api/get-data | GET | New York | US |
| 2024-10-01 11:14:20 | 4900 | 124 | 200 | /api/post-data | POST | Chicago | US |
| 2024-10-01 12:15:45 | 4800 | 125 | 200 | /api/update-item | PUT | London | UK |
This query returns the top 5 HTTP requests that took the longest time to process.
The top operator helps you find the HTTP requests with the longest durations.
Query
Output
| _time | req_duration_ms | id | status | uri | method | geo.city | geo.country |
|---|---|---|---|---|---|---|---|
| 2024-10-01 10:12:34 | 5000 | 123 | 200 | /api/get-data | GET | New York | US |
| 2024-10-01 11:14:20 | 4900 | 124 | 200 | /api/post-data | POST | Chicago | US |
| 2024-10-01 12:15:45 | 4800 | 125 | 200 | /api/update-item | PUT | London | UK |
This query returns the top 5 HTTP requests that took the longest time to process.
The top operator is useful for identifying the spans with the longest duration in distributed tracing systems.
Query
Output
| _time | duration | span_id | trace_id | service.name | kind | status_code |
|---|---|---|---|---|---|---|
| 2024-10-01 10:12:34 | 300ms | span123 | trace456 | frontend | server | 200 |
| 2024-10-01 10:13:20 | 290ms | span124 | trace457 | cartservice | client | 200 |
| 2024-10-01 10:15:45 | 280ms | span125 | trace458 | checkoutservice | server | 500 |
This query returns the top 5 spans with the longest durations from the OpenTelemetry traces.
The top operator is useful for identifying the most frequent HTTP status codes in security logs.
Query
Output
| status | count_ |
|---|---|
| 200 | 500 |
| 404 | 50 |
| 500 | 20 |
This query shows the top 3 most common HTTP status codes in security logs.