How to list domains/hosts results before and after a specific domain was connected to?



I'm trying to create a dashboard with a statistics table that will show a list of domains/hosts 10 minutes before and after a user connected to a specific domain.

i.e. A user connected to abc.com at 12pm EST on 4/7/2022. I want to be able to input the users ID and host (abc.com) into text fields and when I submit/search I want results to show (sorted by time) all of the domains/hosts the user went to 10 minutes before and leading up to abc.com as well as all of the domains/hosts after abc.com

I am stuck and have tried different variations of the query below using sort and desc. I've gotten results however, they only show the specific host that was entered into the text field and not the other hosts around that searched host.

This is what I've started with and as previously mentioned, I've tried altering it quite a few times:

index=proxy userID=$user_id$ host=$host_id$ | table _time, userID, host, ip, | sort host span=10m, -host span=10m

Any assistance is appreciated!

Since you want to see all hosts, not just abc.com, use host=* instead of host=$host_id$.

