I'm using this search to find an event that happened within 5 minutes of its previous occurrence:
... | reverse | streamstats current=f last(_time) AS prevTime | eval span=_time - prevTime | where span < 300
I get the event as a result, but I also want to show in the results the event I was comparing it to. How can I do that?
Either like this:
... | reverse | streamstats current=f last(_time) AS prevTime last(_raw) AS prevEvent | eval span = _time - prevTime | where span < 300
Or like ths:
... | streamstats current=f last(_time) AS nextTime | reverse | streamstats current=f last(_time) AS prevTime | eval forespan = nextTime - _time | eval backspan= _time - prevTime | where backspan < 300 OR forespan < 300
Either like this:
... | reverse | streamstats current=f last(_time) AS prevTime last(_raw) AS prevEvent | eval span = _time - prevTime | where span < 300
Or like ths:
... | streamstats current=f last(_time) AS nextTime | reverse | streamstats current=f last(_time) AS prevTime | eval forespan = nextTime - _time | eval backspan= _time - prevTime | where backspan < 300 OR forespan < 300
Thanks 🙂
What I did was to keep the relevant field from the previous message using the streamstats current=f last command, and then showing them in the query result (using table xxx).