Need a bit more detail to know exactly what you're after, but using streamstats can give you this type of output
index=_audit
| eval is_match=if(user="your_user", 1, 0)
| streamstats reset_before="("is_match=1")" count as event_num
| where event_num<10
| table _time user action event_num is_match
| streamstats count(eval(is_match=1)) as n
| where n>0
so here it will look in the _audit index and then line 2 sets is_match=1 if the event matches your criteria.
streamstats will then count all events following (i.e. in earlier _time order) the match, but reset to 1 when there is a new match.
The where clause will then keep the last 10 events prior to the match
and then the final streamstats is simply to remove the initial set of events up to the first match.
Not sure if this is what you're after doing, but hopefully it gives you some pointers.
You could adjust your approach to list a time window instead of specific number of events
<base search>
| eval match_time=if(<match_conditions>,_time,null())
| filldown match_time
| where _time-match_time<=<time_limit>
Hi @danielbb ,
do you want to display all the events pior one specified event or all the events that match the same conditions?.
Anyway, the approach is defining the latest time with a subsearch:
<search_conditions1> [ search <search_conditions2> | head 1 | eval earliest=_time-300, latest=_time | fields earliest latest ]
| ...
in this way you use the _time of the <search_conditions2> as latest and _time-300 seconds as earliest, to apply th the primary search that can be the same of the secondary or different.
Ciao.
Giuseppe