https://community.splunk.com/t5/Splunk-Search/List-of-top-URLs-with-hourly-count-gt-50/m-p/493776#M137694 <P>Try like this</P> <PRE><CODE>index=temp_index source="/app/request.log" host="server-1b*" GET | rex field=_raw "GET (?&lt;requested_content&gt;[^\s]+)" | bucket span=1h _time | stats count as hour_count by _time requested_content | where hour_content&gt;50 | sort 100 -hour_content </CODE></PRE> <P>OR </P> <PRE><CODE>index=temp_index source="/app/request.log" host="server-1b*" GET | rex field=_raw "GET (?&lt;requested_content&gt;[^\s]+)" | bucket span=1h _time | stats count as hour_count by _time requested_content | where hour_content&gt;50 | stats max(hour_content) as hour_content by requested_content | sort 100 -hour_content </CODE></PRE> Tue, 10 Mar 2020 16:38:07 GMT somesoni2 2020-03-10T16:38:07Z https://community.splunk.com/t5/Splunk-Search/List-of-top-URLs-with-hourly-count-gt-50/m-p/493774#M137692 <P>Hi, I have a ask where I need to find out top 100 URL's who have hourly hits more than 50 on the server means if a particular URL is requested more than 50 times in an hour then I need to list it. <BR /> And I need to list these kind of top 100 URL's which are most visited.<BR /> Any help is appreciated. Below is the query I have but it is not giving what i want -</P> <P>index=temp_index source="/app/request.log" host="server-1b*" GET <BR /> | rex field=_raw "GET (?[^\s]+)" <BR /> | bucket span=1h _time <BR /> | stats count as hour_count by _time requested_content </P> Wed, 30 Sep 2020 04:36:16 GMT https://community.splunk.com/t5/Splunk-Search/List-of-top-URLs-with-hourly-count-gt-50/m-p/493774#M137692 Shashank_87 2020-09-30T04:36:16Z https://community.splunk.com/t5/Splunk-Search/List-of-top-URLs-with-hourly-count-gt-50/m-p/493775#M137693 <P>Hi @Shashank_87,</P> <P>If you are extracting URL from _raw and counting it then try this:</P> <PRE><CODE>index=temp_index source="/app/request.log" host="server-1b*" GET | rex field=_raw "GET (?&lt;URL&gt;[^\s]+)" | bucket span=1h _time | stats count as hour_count by _time URL | where hour_count &gt; 50 | top 100 URL </CODE></PRE> Tue, 10 Mar 2020 16:34:02 GMT https://community.splunk.com/t5/Splunk-Search/List-of-top-URLs-with-hourly-count-gt-50/m-p/493775#M137693 manjunathmeti 2020-03-10T16:34:02Z https://community.splunk.com/t5/Splunk-Search/List-of-top-URLs-with-hourly-count-gt-50/m-p/493776#M137694 <P>Try like this</P> <PRE><CODE>index=temp_index source="/app/request.log" host="server-1b*" GET | rex field=_raw "GET (?&lt;requested_content&gt;[^\s]+)" | bucket span=1h _time | stats count as hour_count by _time requested_content | where hour_content&gt;50 | sort 100 -hour_content </CODE></PRE> <P>OR </P> <PRE><CODE>index=temp_index source="/app/request.log" host="server-1b*" GET | rex field=_raw "GET (?&lt;requested_content&gt;[^\s]+)" | bucket span=1h _time | stats count as hour_count by _time requested_content | where hour_content&gt;50 | stats max(hour_content) as hour_content by requested_content | sort 100 -hour_content </CODE></PRE> Tue, 10 Mar 2020 16:38:07 GMT https://community.splunk.com/t5/Splunk-Search/List-of-top-URLs-with-hourly-count-gt-50/m-p/493776#M137694 somesoni2 2020-03-10T16:38:07Z https://community.splunk.com/t5/Splunk-Search/List-of-top-URLs-with-hourly-count-gt-50/m-p/493777#M137695 <P>@manjunathmeti Hi Manju, this has worked perfectly. Thanks very much.</P> Wed, 11 Mar 2020 09:11:47 GMT https://community.splunk.com/t5/Splunk-Search/List-of-top-URLs-with-hourly-count-gt-50/m-p/493777#M137695 Shashank_87 2020-03-11T09:11:47Z https://community.splunk.com/t5/Splunk-Search/List-of-top-URLs-with-hourly-count-gt-50/m-p/493778#M137696 <P>@somesoni2 Hi, this is also one of the solution and works in my situation but it gives multiple rows with the same URL which is fine because duplicates can be removed.<BR /> Thanks very much for the response.</P> Wed, 11 Mar 2020 09:13:10 GMT https://community.splunk.com/t5/Splunk-Search/List-of-top-URLs-with-hourly-count-gt-50/m-p/493778#M137696 Shashank_87 2020-03-11T09:13:10Z https://community.splunk.com/t5/Splunk-Search/List-of-top-URLs-with-hourly-count-gt-50/m-p/493779#M137697 <P>You're welcome!</P> Wed, 11 Mar 2020 09:26:43 GMT https://community.splunk.com/t5/Splunk-Search/List-of-top-URLs-with-hourly-count-gt-50/m-p/493779#M137697 manjunathmeti 2020-03-11T09:26:43Z