Hello!

I analyze DNS-log. I can get stats count by Domain:

| stats count by Domain 

And I can get list of domain per minute'

index=main3   |bucket span=1m _time | stats values(Domain) by _time

But I can't combine this two search... I would like to receive as a result of such a table:

_time     Domain        count
12:51     domain1.com    2
          domain2.com    5
          domain3.net    3
12:52     domain1.com    4
          domain2.com    2
          domain3.net    9

How I can make it?