You need to build an ES|QL chart for this kind of things (with the limit of 10000 rows per table) as regular charts will be bound to the number of buckets generated (5 minutes bucket in 7 days is about 3300+ rows per each IP potentially...).
A query like this could help:
FROM your_index | STATS count = count() by BUCKET(@timestamp, 5 minutes), clientip
@user-27022024 Maybe just me, but I find the query a bit ambiguous.
So, my interpretation here was, for every IP that made 1+ requests over last 7 days, you want to know, for every IP, what was the most "active" 5 minute slot, and how active was it (in #requests)
So you would have a table with #uniq_count(clientip) rows, and 3 columns:
timestamp (effectively a 5 minute bucket)
the number of requests in that 5 minute bucket for that specific IP
BUT, I also see the text could be interpreted differently.
