Hello all, I'm not sure ... heh, well, I'm in the unfortunate position of not knowing what I don't know.
I'm fairly new to all of this, and I don't know if I'm trying to ask the system to do too much, or if I'm not thinking about the problem in the correct manner, or, well, what, exactly. I have an Elastic and a Kibana instance up and running, and I have data coming into Elastic and being indexed. I have a stream of events being sent as individual records, ip address, server resources used, nanosecond resolution timestamp (complete overkill as you'll see in a moment, but it's just how the data source came to me), a source identifier, and a destination identifier.
What I want to be able to do, (and I apologize if I use the wrong terminology) when I make a visualization out of this data, (at least, I think this is what I want to do) is to break it out into a table, where each row is an hour long bucket (so a 1 hour date histogram, if I've understood the concepts in the documentation correctly), and then the columns are a histogram, ten buckets across the entire data set. And the buckets I need there are something like "within that hour window, for each ip address I have an entry for, count the number of records for each ip address". Then the actual value of the cell should be the unique count of the ip addresses that meet those criteria. So I end up with a chart that shows, for each given hour over whatever period I'm looking at, how many unique users (represented by ip addresses) are making the calls that makes up, say, the bottom 10% of the number of calls being handled, and then 20%, 30%, and so on.
But I have not had any luck with the documentation figuring out how to do anything anywhere near that complicated in Kibana. In fact, I'm not even sure if I should be trying to do this in Kibana or in Elastic.
It's also possible that I've misunderstood some concept about how best to shape one's input data, or how to deal with it after it's in Elastic. I'm definitely not a statistician.
