The easiest solution to write is to generate time ranges with a subquery and then search for errors during those periods. <your general search for errors> [ search <your search for zookeeper errors> | table _time | rename _time as latest | eval earliest=latest-15*60 ] But it has all the limitations of a subquery (the result limit which is probably not important here and the execution time limit and possibility of silent termination). You could also try something with streamstats along the line of <your search for errors> | streamstats max(_time) as bigerrortime reset_before="like(_raw,\"%your_Zookeeper_error%\")" | where _time-bigerrortime<=900 ... View more