You need to build an ES|QL chart for this kind of things (with the limit of 10000 rows per table) as regular charts will be bound to the number of buckets generated (5 minutes bucket in 7 days is about 3300+ rows per each IP potentially...).
A query like this could help:
FROM your_index | STATS count = count() by BUCKET(@timestamp, 5 minutes), clientip
@user-27022024 Maybe just me, but I find the query a bit ambiguous.
So, my interpretation here was, for every IP that made 1+ requests over last 7 days, you want to know, for every IP, what was the most "active" 5 minute slot, and how active was it (in #requests)
So you would have a table with #uniq_count(clientip) rows, and 3 columns:
IP
timestamp (effectively a 5 minute bucket)
the number of requests in that 5 minute bucket for that specific IP
BUT, I also see the text could be interpreted differently.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.