I think what we are looking for here is a combination of eval and map. Use eval to set up a time window and map to iterate over the original search results - grabbing the events surrounding them.
To get events that happened surrounding the original set of events (to gain the desired context) we can use the following to give all events from 2.5 seconds before to 1.5 seconds after the original set:
message="Error" |eval mystarttime=_time-2.5 | eval myendtime=_time+1.5 | map search="search _time<$myendtime$ _time>$mystarttime$"
Note that this may take a bit, and beware that you can get events listed more than once if the time window you set up overlaps more than one of the original events.
If you want map to do more than the default limit of 10 searches, you will want to add the maxsearches option
map search="search _time<$myendtime$ _time>$mystarttime$" maxsearches=99
You can also make the results more intuitive for reading with the transaction command:
message="Error" |eval mystarttime=_time-2.5 | eval myendtime=_time+1.5 | map search="search _time<$myendtime$ _time>$mystarttime$" maxsearches=99 | transaction maxspan=4s
it will group each set of events into a single transaction on the return. In this case we are saying group any events within 4 seconds of each other.
I would love to have a more efficient way of doing this search. Unfortunately localize is not vey intuitive and is restricted to whole second increments, and the startimeu and endtimeu time functions for search didn't seem to give any better results.
Here is some very basic background info in case you are new to map and eval:
The map command runs a new search for each of the events passed to it. Its a typical looping operator.
For example, if
search message="Error"
returns 5 results, then
search message="Error" | map search="search message=\"$message$\"
should return 25 results because it performs a search for the same message again as it loops over each of the original results (5x5=25). Indeed it does.
We could return the original set of results by limiting them to the time they were encountered (assuming none of them happened at once, in which case there would still be duplicates on the corresponding times)
message="Error" | eval mytime=_time | map search="search message=$message$ _time=$mytime$"
The eval command gives us the ability to set up new variables based on those found in the previous result(s)
Good luck!
... View more