The top command returns the most common values of a field and their count. By using the by clause, you can group the results by another field. In this case, the top command will return the top three most common values in statusCode for each user. The showperc=f option will suppress the percentage column in the output.  The countfield option will rename the count column to status_code_count 2 .

Fields are searchable key/value pairs in event data. They allow you to specify criteria for your searches and filter out unwanted events. Fields can be extracted automatically by Splunk software during indexing or searching, or manually by users using various methods. Fields are not inherent entities that exist in event data, but rather interpretations of data by Splunk software or users. Fields are not values pulled exclusively from lookup tables, although lookup tables can be used to add fields to events based on existing fields.  Fields are not non-searchable name/value pairs used while indexing data, but rather searchable attributes that can be used to refine searches 5 .

The default time to live (ttl) for an ad-hoc search job is 10 minutes. This means that if no one views the results of a search within 10 minutes, the search job is canceled and the results are deleted.  You can change this setting in the limits.conf file 1 .

The search query sourcetype=access_combined would return events from the access_combined sourcetype, which is a predefined sourcetype in Splunk that matches the access-common or access-combined Apache logging formats 1 .  The sourcetype field is case-sensitive, so using different capitalization such as Access_Combined or ACCESS_COMBINED would not match the exact sourcetype name 2 .  The sourcetype field is also a default field that is added by the indexer when it indexes the data, so it does not need to be enclosed in quotation marks 3 .

References

List of pretrained source types

Search command syntax details

Basic searches and search results