Search 1 : index=index_123 (msg="*xyz*") | rex field=msg "results\":{\"(?<abc1>.*)\" *" | stats values(_time) as abc1_time, abc1 Search 1 : index=index_123 (msg="*mnop*") | rex field=msg "results\":{\"(?<abc2>.*)\" *" | stats values(_time) as abc2_time, abc_2 Scenario 1 : Search 1 gave results : 11:30AM --- 123, 11:40AM --- 345 Search 2 gave results :11:34AM --- 123 I want to subtract ( search 1 - search 2) with time difference less than 3 minutes. so that i should get 123(time greater then 3 mins), 345(No record in search 2).
... View more