https://community.splunk.com/t5/Splunk-Search/How-to-achieve-top-10-src-ip-s-along-with-top-10-urls-for-each/m-p/606029#M210737 <LI-CODE lang="markup">index=firewall | stats count by src_ip, url | sort 0 src_ip -count | streamstats count as standings by src_ip | where standings &lt; 11 | eventstats sum(count) as total by src_ip | sort 0 -total src_ip -count | streamstats count(eval(standings=1)) as rank | where rank &lt; 11</LI-CODE> Mon, 18 Jul 2022 18:14:30 GMT ITWhisperer 2022-07-18T18:14:30Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-top-10-src-ip-s-along-with-top-10-urls-for-each/m-p/606025#M210734 <P>I'm trying to run a query to figure out the top 10 src_ip's along with their top 10 urls visited. When I try the below query it's giving me every src_ip instead of just the top 10.</P> <P>Any suggestions on how to limit the search for just the top 10 src_ip by top 10 url?</P> <P>I've been running something like this:</P> <P>index=firewall | stats count by src_ip, url<BR />| sort 0 src_ip -count<BR />| streamstats count as standings by src_ip<BR />| where standings &lt; 11<BR />| eventstats sum(count) as total by category<BR />| sort 0 -total src_ip -count</P> Mon, 18 Jul 2022 18:11:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-top-10-src-ip-s-along-with-top-10-urls-for-each/m-p/606025#M210734 jhamot23 2022-07-18T18:11:09Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-top-10-src-ip-s-along-with-top-10-urls-for-each/m-p/606029#M210737 <LI-CODE lang="markup">index=firewall | stats count by src_ip, url | sort 0 src_ip -count | streamstats count as standings by src_ip | where standings &lt; 11 | eventstats sum(count) as total by src_ip | sort 0 -total src_ip -count | streamstats count(eval(standings=1)) as rank | where rank &lt; 11</LI-CODE> Mon, 18 Jul 2022 18:14:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-top-10-src-ip-s-along-with-top-10-urls-for-each/m-p/606029#M210737 ITWhisperer 2022-07-18T18:14:30Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-top-10-src-ip-s-along-with-top-10-urls-for-each/m-p/606030#M210738 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226905">@jhamot23</a>&nbsp; Did you know there's a <EM>top</EM> command? (it defaults to top 10, but this is configurable if you want)<BR />See if this gets you in the neighborhood:</P><P>&nbsp;</P><LI-CODE lang="markup">index=firewall | top src_ip BY url</LI-CODE><P>&nbsp;</P> Mon, 18 Jul 2022 18:15:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-top-10-src-ip-s-along-with-top-10-urls-for-each/m-p/606030#M210738 efavreau 2022-07-18T18:15:32Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-top-10-src-ip-s-along-with-top-10-urls-for-each/m-p/606031#M210739 <P>Appreciate the insights. Yes I just started playing around with the top command, and this did help get me in the neighborhood but was looking for a more cleaner list of just top 10 src_ips by top 10 urls visited. Looks like the suggestion below got me the list I was looking for. Thank you!&nbsp;</P> Mon, 18 Jul 2022 18:30:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-top-10-src-ip-s-along-with-top-10-urls-for-each/m-p/606031#M210739 jhamot23 2022-07-18T18:30:14Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-top-10-src-ip-s-along-with-top-10-urls-for-each/m-p/606032#M210740 <P>This is what I was looking for! Thank you!</P> Mon, 18 Jul 2022 18:30:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-top-10-src-ip-s-along-with-top-10-urls-for-each/m-p/606032#M210740 jhamot23 2022-07-18T18:30:46Z