How to search web traffic from a particular ip address, count hostnames by 15 minute incriments | then chart count by catdesc.


What I am trying to get:
A 14 days chart of category descriptions that has a meaningful count. Right now I see things like:

Search Engines and Portal 7000

What I would like it be"
Search Engines and Portal 344

On the back end a person went to google and did multiple searches for ~ 15 minutes a day over 14 days.

Detailed thoughts:
Look at a ip address's website traffic over 14 days, distinguish visit to a site vice numerous log entries due to initial visit to a site ( pulls something like 6-9 different events). Transform that into catdesc to show # of visits to a particular type over 14 days.

What I had originally tried was:
(IP address) www.*| chart count by catdesc limit=0 | sort -count

Thank you!

I might do something like this. I don't know if it's the most efficient or whatever but hope this helps. I like to use list rather than values but I guess I'm the only one. Maybe look at the values command as well.

ipaddress www.*(I'm guessing this is a source or sourcetype?) | bucket span=15m _time | stats list(catdesc) AS Description, list(count) as Count by (ipaddress/hostname) | sort -Count

Thank you for the answer, I really appreciate it.

This is what I used: (time 24 hours)
(IP Adress) www.*| bucket span=15m _time | stats list(catdesc) AS Description, list(count) as count by hostname | sort -Count

I get:
Hostname Description Count
Google Search Engines and Portals was blank.

Do you know how to covert the descriptions to counts and only show:

Google Search Engines and Portals 37.

Does the bucket span 15 take the length (24 hours) and break it down into 15 minute increments?

Thank you

