Hello,
Formed two queries which serves the purpose which are given below.
|eval abc= _time |bucket span=5m _time | stats values(abc) as time by _time fieldA
| eval a1=mvindex(time, 0), a2=mvindex(time, 1) , a3=mvindex(time, 2) , a4=mvindex(time, 3) , a5=mvindex(time, 4), a6=mvindex(time, 5)
| eval delta1=a2-a1,delta2=a3-a2,delta3=a4-a3,delta4=a5-a4,delta5=a6-a5
| WHERE delta1< 30 OR delta2 < 30 OR delta3 < 30 OR delta4 < 30 OR delta5 < 30
| fields _time fieldA delta1 delta2 delta3 delta4 delta5
This can be used to calculate the delta for 5 events in the span of 5 minutes.
You can adjust the granularity as per your requirement.
OR
| transaction maxspan=5m fieldA | WHERE eventcount > 3 |eval delta= duration/eventcount | WHERE delta < 30 | table fieldA delta eventcount
This can be used to calculate the average delta between each event and the event count.
... View more