Thanks for your explanation. First, try this
index=xxx earliest="-7d@w0" latest="now"
| eval type=case(_time>=relative_time(now(),"-7d@w0") AND _time<=relative_time(now(),"@w0"),"Before",
_time>=relative_time(now(),"-15m","After",
1==1,"Other")
| where type!="Other"
| rex field=_raw "<RequestName>(?<Request_Name>.*?)</RequestName>"
| stats count(eval(type=="Before")) as Before_Count count(eval(type=="After")) as After_Count by Request_Name
| where Before_Count = 0 | fields Request_Name
The above search will list only the requests where there were no incidents in the "before" category, only in the "after" category.
The second issue that you mention was that the time range of the search could vary. This is a different problem entirely. To deal with it, I suggest
1 - Enclose the search in a form. Use the form to force the user to pick/enter a particular date/time: the $release_timestamp$ token
Assume that the release_timestamp is a string in the form "11/12/2015:20:00:00"
2 - Restrict the search to the last 30 days overall.
index=xxx earliest=-30d@d
| eval release_epoch = strptime("$release_timestamp$","%m/%d/%Y:%H:%M:%S")
| eval type=case( _time<=release_epoch AND _time>=release_epoch-(7*86400),"Before",
_time>=release_epoch AND _time<=release_epoch+(15*60),"After",
1==1,"Other")
| where type!="Other"
| rex field=_raw "<RequestName>(?<Request_Name>.*?)</RequestName>"
| stats count(eval(type=="Before")) as Before_Count count(eval(type=="After")) as After_Count by Request_Name
| where Before_Count = 0 | fields Request_Name
The above search defines "Before" as "the 7 days before the release, and "After" as "the 15 minutes after the release." You can tweak the time ranges in the case function.
... View more
