Hi my aim is to create an alert that will perform first search and look for at least 10 similar events within last 30 minutes. Then using another search it will look for at least one occurrence of different log At the end it should compare which log came first using min(_time) and trigger alert only if both searches returned logs. Checking the time can be omitted but it is important that both searches have returned anything. Both searches works fine when I run them separately, but then I am appending one to the other, I am receiving only logs from the 1 search. As an outcome would like to see the logs/events instead of stats table. I am a novice so if anybody could give me some hints how could I make it all work as expected, it would be great. Here's what I have done so far: index="index1" (Message=SEARCH1 earliest=-31m@m latest=-1m@m )
| transaction Message SrcIP | where eventcount > 10
| search Message="SEARCH1"
| eventstats min(_time) as condition1
| append
[ | search index="index1" SEARCH3 earliest=-61m@m latest=-1m@m
| eventstats min(_time) as condition2 ]
| where condition1 > condition2
... View more