I guess summary indexing will solve both your problem, with or without including _time. Suppose your create a sumary index search with "index=main action=video | stats count by user,video_name " which will run hourly storing into main_1h index, then using "index=main_1h source='yoursummary index search name' | stats sum(count) as views by video_name | sort -views |head 1000" will serve your first requirement and "index=main_1h source='yoursummary index search name' | stats dc(user) as views by video_name| sort -views |head 1000" will serve second.

I would create the summary index with table stats.

index="main" action="video" | table _time, action, user, video_name

It will be far faster to search the subset of data in the summary index then it would be searching the raw data.

How do you mean to include _time? I don't see how this would solve the problem at the moment

Include _time
I had the same problem with failed logon events with over a hundred million windows security events. It changed a searches that were basically impossible to ones that complete in seconds.

Summary indexing is certainly one solution to the first query.

However, if I were to use this for the latter then it would count a distinct user view once per time the summary index runs. So, if the index was run hourly then it would be counted up to 24 times in a report which is meant to show distinct video views over the last 24 hours. This should never be more than once, or it's not distinct.

Any idea to get around this? I've used summary indexes in the past but the same issue always arises when distinct user counts get involved