I'd like to create a chart of bin counts over time (with a span defined). Right now, I can get the result over the whole time period using:
... | stats count by clientip | bin count as bins | stats count by bins
How can I change this to get a chart of bin counts over time?
Is this what you're looking for?
... | timechart distinctcount(bin)
Or
... | timechart count(bin)
Maybe
... | streamstats count(bin) as bincount by clientip _time | timechart bincount by clientip
Or
... | timechart span=1w count by clientip
@viraptor... You would need to retain the _time field after your first stats command runs. So you can use min(_time) or max(_time) function to retain the same and pass that on to timechart to plot count of bins over _time.
| stats count min(_time) as _time by clientip
| bin count as bins
| timechart count by bins
That's not really what I'm after. This will give me the time of the first request for a given clientip
. It may approximate what I'm after, but the difference matters in my case. I want the results analysed for each (for example) 15 min span separately.
Are you looking for somthing like the following?
| stats count min(_time) as _time max(_time) as MaxTime by clientip
| eval duration=MaxTime-_time
| bin count as bins
| table _time bins duration
You might need to post-process and show duration via Timeline visualization and count via simple timechart.
Anyways. Let me also convert my Answer to comment so that others can pitch in with their answers/opinions.