https://community.splunk.com/t5/Splunk-Search/Peak-hour-count-of-most-Visited-Pages/m-p/492495#M137378 <P>Try this</P> <PRE><CODE>index=test sourcetype=access_combined requested_content="/*" NOT (images OR js OR css OR png OR gif OR json OR jpg OR woff OR eot OR ico OR ttf OR svg OR pdf OR php OR jpeg OR txt) status=200 | bucket span=1h _time | stats count as hour_count by _time req_content | stats sum(hour_count) as total_count max(hour_count) as max_per_hour by req_content | sort - total_count limit=100 </CODE></PRE> Thu, 03 Oct 2019 13:50:22 GMT somesoni2 2019-10-03T13:50:22Z https://community.splunk.com/t5/Splunk-Search/Peak-hour-count-of-most-Visited-Pages/m-p/492493#M137376 <P>Hi, I am working on a query to get the peak hour count of of the top 100 visited pages on my website and i want this together in a single table.<BR /> In simple terms what i want is a table with three columns -<BR /> 1. req_content (visited page)<BR /> 2. Total count of this visited page (suppose in last 7 days)<BR /> 3. Peak hour count of this visited page (suppose in last 7 days).</P> <P>Mainly the 1st and 3rd column and even if we don't get total count that's okay. I have this below query which gives the top 100 visited pages but I also want the peak hour count alongside it in a separate column</P> <P>index=test sourcetype=access_combined requested_content="/*" NOT (images OR js OR css OR png OR gif OR json OR jpg OR woff OR eot OR ico OR ttf OR svg OR pdf OR php OR jpeg OR txt) status=200<BR /> | stats count by req_content<BR /> | sort - count limit=100</P> <P>Any help is appreciated.<BR /> @David <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a> <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/182782">@Sukisen1981</a> <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a> </P> Wed, 30 Sep 2020 02:22:48 GMT https://community.splunk.com/t5/Splunk-Search/Peak-hour-count-of-most-Visited-Pages/m-p/492493#M137376 Shashank_87 2020-09-30T02:22:48Z https://community.splunk.com/t5/Splunk-Search/Peak-hour-count-of-most-Visited-Pages/m-p/492494#M137377 <P>Use the <CODE>date_hour</CODE> and <CODE>date_day</CODE> fields like this.. </P> <PRE><CODE>index=test sourcetype=access_combined requested_content="/*" NOT (images OR js OR css OR png OR gif OR json OR jpg OR woff OR eot OR ico OR ttf OR svg OR pdf OR php OR jpeg OR txt) status=200 | stats count by date_hour, req_content, date_day | eventstats max(date_hour) AS date_hour by date_day | sort - count limit=100 </CODE></PRE> <P>This is untested and may need to be adjusted </P> Thu, 03 Oct 2019 13:47:25 GMT https://community.splunk.com/t5/Splunk-Search/Peak-hour-count-of-most-Visited-Pages/m-p/492494#M137377 skoelpin 2019-10-03T13:47:25Z https://community.splunk.com/t5/Splunk-Search/Peak-hour-count-of-most-Visited-Pages/m-p/492495#M137378 <P>Try this</P> <PRE><CODE>index=test sourcetype=access_combined requested_content="/*" NOT (images OR js OR css OR png OR gif OR json OR jpg OR woff OR eot OR ico OR ttf OR svg OR pdf OR php OR jpeg OR txt) status=200 | bucket span=1h _time | stats count as hour_count by _time req_content | stats sum(hour_count) as total_count max(hour_count) as max_per_hour by req_content | sort - total_count limit=100 </CODE></PRE> Thu, 03 Oct 2019 13:50:22 GMT https://community.splunk.com/t5/Splunk-Search/Peak-hour-count-of-most-Visited-Pages/m-p/492495#M137378 somesoni2 2019-10-03T13:50:22Z https://community.splunk.com/t5/Splunk-Search/Peak-hour-count-of-most-Visited-Pages/m-p/492496#M137379 <P>@somesoni2 This is brilliant stuff. Thank you very much. This is exactly what i was looking for. Only disappointed that i couldn't think of this.<BR /> Thanks again <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 03 Oct 2019 14:23:19 GMT https://community.splunk.com/t5/Splunk-Search/Peak-hour-count-of-most-Visited-Pages/m-p/492496#M137379 Shashank_87 2019-10-03T14:23:19Z https://community.splunk.com/t5/Splunk-Search/Peak-hour-count-of-most-Visited-Pages/m-p/492497#M137380 <P>Thanks @skoelpin for your response. I have just got it working with the query commented by somesoni. But thanks anyways for looking.</P> Thu, 03 Oct 2019 14:28:20 GMT https://community.splunk.com/t5/Splunk-Search/Peak-hour-count-of-most-Visited-Pages/m-p/492497#M137380 Shashank_87 2019-10-03T14:28:20Z