GitHubContribute in GitHub: Edit online

top operator

Returns the first N records sorted by the specified columns.

Syntax

T | top NumberOfRows by Expression [asc | desc] [nulls first | nulls last]

Arguments

  • NumberOfRows: The number of rows of T to return. You can specify any numeric expression.
  • Expression: A scalar expression by which to sort. The type of the values must be numeric, date, time or string.
  • asc or desc (the default) may appear to control whether selection is actually from the "bottom" or "top" of the range.
  • nulls first (the default for asc order) or nulls last (the default for desc order) may appear to control whether null values will be at the beginning or the end of the range.

Tip

top 5 by name is equivalent to the expression sort by name | take 5 both from semantic and performance perspectives.

Example

events
    | project EventName=name, original_time
    | where original_time > ago(24h)
    | summarize EventCount=count() by EventName
    | top 6 by EventCount

Results

EventName EventCount
Unknown log event 1805451
Firewall Permit 808785
Amazon.CloudFront 620454
Provider started 424952
Traffic Start 314166
Threat Emulation Accept 250516