Thank you for the help bowesmana. This solution works but it seems to cap my results to 10k Events, is this an inherent splunk thing or am I missing a piece of the puzzle? I did do a search for only the INCLUDE=YES events ``` Ensure time descending order and mark the events that have an error ```
| sort - _time
| streamstats window=1 values(eval(if(match(log_data,"error"), _time, null()))) as error_time
``` Save the error time and copy the error time down to all following records until the next error ```
| eval start_time=error_time
| filldown error_time
``` Now filter events within 60 seconds prior to the error ```
| eval INCLUDE=if(_time>=(error_time-60) AND _time<=error_time, "YES", "NO")
``` Now do the same in reverse, i.e. time ascending order ```
| sort _time
| filldown start_time
``` and filter events that are within 60 seconds AFTER the error ```
| eval INCLUDE=if(_time<=(start_time+60) AND _time>=start_time, "YES", INCLUDE)
| fields - start_time error_time
| search INCLUDE=YES
... View more
