can we setup an alert based on data from current time stamp & based on information on past 15mins ?
say at T1, got a log event "a=2"
say at T2, got a log event "a=3"
i would like to check if at T2, if we have a T1 in past 15mins of T2 ?
| makeresults
| eval a="2"
| eval _time = _time - 500
| append [| makeresults | eval a="3"]
| eval host="foo"
| rename COMMENT AS "You might need a '| reverse' here"
| streamstats count(eval(a=="3")) AS sessionID BY host
| stats count min(_time) AS _time dc(a) AS a_count range(_time) AS duration BY host
| where (a_count=="1" AND (now() - _time) > (15 * 60)) OR (a_count=="2" AND duration > (15 * 60))
An alert is based on an output of a search. A search, unless it's a realtime search (which you shouldn't use anyway ;-)), is based on past data.
So the general answer is - yes, you can alert based on past data.
Question is how to build a search which will return proper results from your data. It will depend on your needs and your data.
Set the time frame for the search to the past 15 minutes and see if but events are returned.