Hmmm... that looks like an interesting way to bucket by time, but I'm not clear how to combine that with my two eventtypes and yield results where one eventtype is null. Maybe this example will help:
eventtype=type_X | localize maxpause=2m | map search="search eventtype=type_Y starttimeu=$starttime$ endtimeu=$endtime$"
That query successfully buckets by time and returns events of type_Y that fall within two minutes of events of type_X. What I need is something that says "when the map clause returns 0 results, output the corresponding event of type_X". I tried using stats count | where to achieve that, but that (not too surprisingly) doesn't do what I want - it just outputs 0 results, presumably because I'm asking it to output events of type_Y where there are 0 events of type_Y.
... View more