something like;
[search index= myindex source=server.log earliest=-360 latest=-60 "
Try like this
index="idx" source="server.log" earliest=-360 latest=-60 "<Request" | xmlkv | fields clientId | search NOT
[search index="idx" source="server.log" earliest=-360 latest=now "<Response" | xmlkv | stats count by clientId |table clientId]
I would recommend using an eventstats command to exclude
index="idx" earliest=-360s latest=-0s source="server.log" "<Request"
| xmlkv
| eventstats earliest_time(clientId) as earliest_clientId by clientId
| where relative_time(now(), "-60s") > earliest_clientId
|`enter code here`
Try like this
index="idx" source="server.log" earliest=-360 latest=-60 "<Request" | xmlkv | fields clientId | search NOT
[search index="idx" source="server.log" earliest=-360 latest=now "<Response" | xmlkv | stats count by clientId |table clientId]
it works! Thanks much
are you trying to search for everything EXCEPT search index= myindex source=server.log earliest=-360 latest=-60
No, something like
earliest=-360 latest=-60 "
can't paste my example?
it's cutting off my example sorry
when pasting your example, highlight the syntax and click on the little '101 010' icon above the texbox
[search index="idx" source="server.log" earliest=-360 latest=-60 "<Request" | xmlkv | fields clientId]
NOT IN
[search index="idx" source="server.log" earliest=-360 latest=now "<Response" | xmlkv | fields clientId]`enter code here`
@riotto
Can you give more details on what you're looking for with expected results? It's hard just figuring this out with only a search. People need more context here other than the same search you put in the content of your question.