I feel like this should be an easy question to find the answer to, but I've spent a good hour or so looking and haven't found it. So, at the risk of looking stupid, here goes:
I'd like to craft a search string to use in a dashboard that returns all the instances of a defined set of events (say, A, B and C) that have occurred since the last occurrence of a different event (say X). I can write the two queries independently no problem:
event_id="X" | head 1 | table _time
gives me the time of the last instance of X, and then I can just change the time range selector to set that to start at that point and run
event_id="A" OR event_id="B" or event_id="C"
to find the events I'm interested in. But it really seems like this should be possible to do in a single query, passing the result of the first as a parameter into the where clause of the second.
... View more