Hi, can't seem to get what I'm looking for working. Here is what I want to do.
Issue a main search of events. Find events around the same time (+/- 10 seconds) around each event of the main search. My result set would be list of events before and after (+/- 10 sec) each main search event.
Hmm, just noticed I'm not getting the results from the base search. Is there a way I can see both the base search and map search as events?
This is what I'm running.
index=myindex AND sourcetype=mysource AND Name="SYSTEMERROR"
| eval starttime=time-10
| eval endtime=starttime+10
| map search="search index=myindex source="anothersource" earliest=$starttime$ latest=$end_time$"
Yup... Map uses base search as input and it's search as output for the query. I don't of any better way to have to result of both the queries without appending the base search again, as subsearch, at the end.
base search | map search="some search" | append [search base search]