You need to collect the sync-timestamp field from M1 to the other events and then compare, which can be done using eventstats, as in this example. | makeresults count=3 | streamstats c | eval machine-name="M".c | eval sync-timestamp=now() - 300 + (if(c=3,60,0)), version-number="1.2.3" ``` Data setup above where M3 is 1 minute in front of M1 and M2 ``` ``` Collect the master timestamp to the other events ``` | eventstats values(eval(if('machine-name'="M1", 'sync-timestamp', null()))) as m1-timestamp | where 'sync-timestamp'!='m1-timestamp'

Hi @Mobyd, which version of the Cloud Monitoring Console (CMC) are you using? According to the CMC Release Notes this was fixed in CMC version 3.13.0. Please also see the note at the top of the page: "Splunk Cloud Platform stacks using version 9.0.2303 or higher will receive CMC version upgrades higher than 3.10.2. Stacks using version 9.0.2209 or lower will remain on CMC version 3.10.2." I hope this answers your question. Thanks

What data is the correlation between the same event - please give an example of the data you may see and what you would expect. For example, if you have an event yesterday with  key1=A, key2=B,key3=C and an event today with key1=A, key2=B,key3=D what do you want to show? If you have lots of events with different fields, is there some common object that connects those events to today's events?

I see why you are an "Esteemed Legend," Sir! I learned A LOT in this, like, for the first time how using 'stats' can be used to figure things out. For those coming later: index="policyguru_data" resourceId="sip*" ("CONNECTED" OR "ENDED") This gets both sets of data I need in one pass. | eval status=if(searchmatch("CONNECTED"),"CONNECTED","ENDED") Then creates a new column (status) that just has "CONNECTED" or "ENDED" in it | stats dc(status) AS status_count. <-- distinct count, so since by guid, if it has both, it'll be 2. If it only has 1, it'll be 1. values(status) AS status  <-- display the values in a field called 'status' (I don't need this but it's nice to see/learn!) values(meta) AS meta  <-- same as above last(timestamp) AS timestamp  <-- capture the most recent timestamp (since there will be two for the matches) BY guid | where status_count=1 AND status="CONNECTED" Then, use 'where' to keep the ones that only have "CONNECTED" (so they do NOT have an ENDED record, which is exactly what I want). Thank you, Legend!  

Hi @John.Groetzinger, Thanks for clarifying! You can head on over to the Idea Exchange and do that. Please have a read of the Idea Exchange Submission Guidelines to make sure you submit a complete idea.

This is meant to be a feature request as I was told it was not possible to do this. If it is possible to do today that would be great, I don't have admin role on my tenant, the admins told me I needed to open an idea/feature request. If this is possible today then I would just like to know how to do it, no one i've talked to seems to think it is possible and hence asked me to open the discussion here.

Hello @John.Groetzinger, I saw a similar post as this was also created that read more like a feature request. Thanks for providing more detail here. Are you looking for workarounds or do you want to submit this as a feature request?