Let's say we have couple of fields in our dataset (called my_dataset) : event_time, event_type, user, field1 and field2. Now, we want to make a search that: distinct count of field1>X OR distinct count of field2>Y happen within Z minutes from when a specific event_type (let's call that value type1) happens for the first time. In other words, this search counts number of different field1 or field2 unique values within Z minutes from first type1 (but it searches all event_type values when counting field1 and field2"). I tried: | tstats ... from datamodel=my_dataset groupby _time | eval detection_time_end=strftime((relative_time(event_time,"+`Z`")), "%F %T.%Q"), only_type1=if((event_type="type1"),1,null) | stats earliest(event_time) as earliest_time, earliest(detection_time_end) as end_of_detection_time, dc(field1) as number_of_different_field1_events, dc(field2) as number_of_different_field2_events, by user, only_type1 This only takes me so far and I'm not sure what to do next. I get statistics of earliest time and end of detection time of type1 per user with total distinct counts of field1 and field2 events. I guess I have to use subsearch here? Any help is appreciated here since I got really stuck with this one. Thanks! ... View more