There's a third way... I think 🙂
search for special events only | streamstats window=4 current=f count latest(_time) as other_time | where count=4 AND _time >= relative_time(other_time, "-10m")
Here's an example of the logic in action:
| gentimes start=-1 increment=1h | eval _time = starttime | sort - _time | streamstats window=4 current=f count latest(_time) as other_time | where count=4 AND _time >= relative_time(other_time, "-4h")
Events happen every hour, so five occur within four hours - this finds loads. If you change the "-4h" at the end to "-3h" then it finds none because there only are four in three hours.
... View more