--- id: topk title: topk Search Operator sidebar_label: topk description: Use the topk operator to select top values from fields and group them by other fields, choosing the top of top. slug: /help/docs/search/search-query-language/search-operators/topk/ canonical: https://www.sumologic.com/help/docs/search/search-query-language/search-operators/topk/ --- import useBaseUrl from '@docusaurus/useBaseUrl'; The `topk` operator allows you to select the top values from fields and group them by fields. It can replace the `top` operator and adds the ability to choose the top of top. :::tip If you're using [`top`](top.md), we recommend switching to `topk` for all your queries so that you can take advantage of its additional functionality. ::: ## Syntax `topk(<#>, [, , ...]) [by ]` `#` is an integer equal to or greater than 1. #### Response Field * `_rank` - the order number of the result. ## Example #### Top 5 source hosts generating errors Look at the top five source hosts generating the most errors and the number of errors for given timeslices: ```sumo error | timeslice 1m | count by _timeslice, _sourceHost | topk(5, _count) ```

#### Top 2 results Look at the top 2 results for a given category: ```sumo error | timeslice 1m | count by _timeslice, _sourceHost | topk(2,_count) by _sourceHost ``` Let's figure out what is the maximum error count for each sourceHost for the given time range slightly changing our query. We’ll add a by clause to the given operator and provide sourceHost as an argument. This tells the system that we want to look for the top “x” counts for each source Host.

Find the top two source host, source category pairs. ```sumo error | timeslice 1m | count by _timeslice, _sourceHost, _sourceCategory | topk(2,_count) by _sourceHost, _sourceCategory ``` We can specify more than one argument to group by. In the query above, we are looking for the top 2 results for each source host, source Category pairs.