Hello I am trying to create a search query like so:
search for specific terms (searchterm#1 AND NOT completed successfully) in a list of sources over the last 4 hours (earliest=-4h). For each source that's returned, complete a metadata search to find if the lastTime (most recent event update) for any source is more than a set threshold (say 300 seconds) and return the result as an array of "source:lastUpdate"
Is the above possible? (I think I can get each one individually, by not together)
Thanks in advance !
Try this
(searchterm#1 AND NOT completed successfully) AND (source=source1 OR source=source2) earliest=-4h
| join source [ | metadata type=sources ]
| where now() - lastTime > (300 * 1000)
| eval lastUpdate = stftime(lastTime,"%X %x")
| table source lastUpdate
If you have a lot of sources that you want to check, you might put them in a lookup table. I just listed two in the example.