rare

import { Aside } from ‘@astrojs/starlight/components’;

The rare command finds the least common values (or combinations of values) for the specified fields. It is the inverse of top — instead of returning the most frequent values, it returns the least frequent. Results are sorted from least to most common.

rare is a powerful tool for anomaly surfacing. In observability data, uncommon values often signal problems: a rare error type, a service name that only appeared recently, or an unusual status code can all indicate issues that deserve investigation.

Syntax

rare [rare-options] <field-list> [by <group-field>]

Arguments

Argument	Required	Type	Default	Description
`<field-list>`	Yes	Comma-delimited field names	—	The fields to find rare values for. When multiple fields are specified, `rare` finds the least common combinations.
`by <group-field>`	No	Field name(s)	—	One or more fields to group the results by. Rare values are computed separately within each group.
`showcount`	No	Boolean	`true`	When `true`, includes a count column showing the frequency of each value. Set to `false` for cleaner output.
`countfield`	No	String	`count`	The name of the count column in the output. Only applies when `showcount=true`.

Usage notes

Anomaly surfacing. Rare values in observability data are often signals: a rare error type, a service that barely produces logs, or an unusual severity level can all indicate issues.
Rare error types. Use rare on error message fields to find unusual errors that might be masked by high-volume common errors.
Rare service names. A service that appears rarely in logs might be failing to start, experiencing intermittent connectivity, or newly deployed.
Rare status codes. Uncommon HTTP status codes or gRPC error codes can reveal edge cases in your application logic.
Use by clause for per-group rare values. Find what is unusual within each group — for example, the rarest severity level per service.
Returns up to 10 results. The rare command returns at most 10 results per group-by combination. Unlike top, there is no parameter to increase this limit.

Examples

Rarest severity levels

Find the least common log severity levels across all services:

| rare severityText

Try in playground →

Rarest services by log volume

Find the services that produce the fewest logs — these may be failing or newly deployed:

| rare `resource.attributes.service.name`

Try in playground →

Rare severity levels by service

Find the rarest severity levels within each service. A service that rarely produces ERROR logs suddenly showing them is noteworthy:

| rare showcount=false severityText by `resource.attributes.service.name`

Try in playground →

Hide the count column

Return just the rare values without frequency counts:

| rare showcount=false severityText

Try in playground →

Rename the count column

Use a custom name for the count field:

| rare countfield='occurrences' `resource.attributes.service.name`

Try in playground →

Extended examples

Rare service-severity combinations in OTel logs

Find unusual combinations of service and severity level. Combinations that appear rarely may indicate new failure modes:

| rare `resource.attributes.service.name`, severityText

Try in playground →

Rare span operations per OTel service

Find the least frequently executed operations in each service from trace data. Rare operations can indicate code paths that are only hit under unusual conditions — potential sources of untested behavior:

source = otel-v1-apm-span-*
| rare name by serviceName

This is especially useful after a deployment: if a new operation name appears in rare output that was not there before, it may indicate new functionality or an unexpected code path being triggered.

rare

Syntax

Arguments

Usage notes

Examples

Rarest severity levels

Rarest services by log volume

Rare severity levels by service

Hide the count column

Rename the count column

Extended examples

Rare service-severity combinations in OTel logs

Rare span operations per OTel service

See also