Here's an example using streamstats, where a single search is done and the data segregated on what might be your conditions, but hopefully it will help show you a way to achieve what you are trying to do - I expect there is more detail that is needed to solve your question, but see this | makeresults
| eval data=split("xyz-123;11:30,xyz-345;11:40,mnop-123;11:34,xyz-678;11:45,mnop-678;11:47",",")
| mvexpand data
| rex field=data "(?<msg>[\w-]+);(?<time>\d+:\d+)"
| fields - data
| eval _time=strptime(time,"%H:%M")
| search (msg="*xyz*" OR msg="*mnop*")
| eval type=case(match(msg,"xyz"),1,match(msg,"mnop"),2)
| rex field=msg "\w+-(?<id>\d+)"
| streamstats count range(_time) as gap by id
| eventstats dc(type) as types by id
| where ((types=2 AND gap>180) OR (type=1 AND types=1)) It gives your example pair as well as another id 678, where the gap is 2 minutes, so it is ignored. Hope this helps
... View more