I need to get the count of requests per IP per 30 minutes.
The stats column headers should be clientip and all the 30 minute intervals - 2017-03-17 02:30:00, 2017-03-17 03:00:00, 2017-03-17 03:30:00.
The count for each of those 30 minutes interval should appear for each of the IP addresses.
I tried - host="test" sourcetype=access_log4 | bucket _time span=30m | stats count by clientip, _time
This groups the clientip and _time as unique columns. I want clientip as the only unique column and the minutes to appear dynamically as column headers.
Like this:
host="test" sourcetype=access_log4 | bucket _time span=30m | chart count by clientip _time
Like this:
host="test" sourcetype=access_log4 | bucket _time span=30m | chart count by clientip _time