index=xxx |bucket _time span=3m |stats count by _time host IP
We are using the above stats command to get count instead of timechart just because we have two by clause fields. We need help in returning Zero count as part of stats iteslf if there is no data available.
(Assuming you want zero counts for host)
You're going to have to either maintain a lookup of the hosts you are interested in, or search for all the hosts in certain time range. If you're happy with a lookup, then you can run your query like this: