alright, i just plugged in all of those data points in a makeresults .
| makeresults |eval data="order=1 id=1 dt=05/22/17 02:13:01,order=2 id=1 dt=05/22/17 02:17:13,order=3 id=1 dt=05/22/17 02:15:33,order=4 id=1 dt=05/22/17 02:22:03,order=1 id=2 dt=05/22/17 02:25:56,order=2 id=2 dt=05/22/17 02:26:18,order=3 id=2 dt=05/22/17 02:24:37,order=1 id=3 dt=05/22/17 02:31:19,order=2 id=3 dt=05/22/17 02:50:03,order=3 id=3 dt=05/22/17 02:53:29,order=4 id=3 dt=05/22/17 02:51:52,order=1 id=4 dt=05/22/17 03:01:34,order=2 id=4 dt=05/22/17 22:01:30,order=3 id=4 dt=05/22/17 22:01:30"|makemv data delim=","|mvexpand data|eval _raw=data|kv|rex field=data "dt=(?<dt>.*)"|eval _time=strptime(dt,"%m/%d/%y %H:%M:%S")|sort id +order | streamstats current=f window=1 values(_time) as prevST by id |eval prevST=if(isnull(prevST),_time,prevST)| where _time >= prevST
I think if you add ...| streamstats current=f window=1 values(st) as prevST by id |eval prevST=if(isnull(prevST),_time,prevST)| where st >= prevST it should work. just make sure that st is in epoch and isn't a string.
... View more