In broad terms, I am searching for a certain event type and figuring out which state things were in for each event, where the state change is signified by other events.
For example, say I have a heartbeat event, and I have "became happy" and "became sad" events. I am trying to determine, at each heartbeat, whether it was happy or sad. I am having a really hard time figuring out how to pull this off.
The main avenue that I have pursued was to try and do a subsearch for the state change events with "latest=" the time of each heartbeat event, but "latest" can only be assigned a literal string. I.e., I've tried something like these two attempts, but they do not work:
event=heartbeat
| eval heartbeatTime=_time
| eval happy=1
| join type=left id [ search event=became.happy OR event=became.sad
| where _time<heartbeatTime
| eval happy=if(event=="became.happy", 1, 0)
| dedup id
]
or
event=heartbeat
| eval heartbeatTime=_time
| eval happy=1
| join type=left id [ search latest=heartbeatTime event=became.happy OR event=became.sad
| eval happy=if(event=="became.happy", 1, 0)
| dedup id
]
... View more