I have a query where I need to determine the earliest time I want events from.. It is either (1) The last time jboss started or (2) 30 minutes since the last event in the logs. (Whichever is closest to current time.)
How do i do that in a query most efficiently?
Here are the subsearches.
[search sourcetype="server_log"
| head 1
| eval test = relative_time(_time, "-30m@m")
| rename test as earliest
| fields earliest
]
[search sourcetype="server_log" "starting service(s)"
| head 1
| rename _time as earliest
| fields earliest
]
Thanks!
How about this?
[ search sourcetype="server_log"
| head 1
| eval eventtime = relative_time(_time, "-30m@m")
| append [
search sourcetype="server_log" "starting service(s)"
| head 1
| rename _time as eventtime
]
| stats max(eventtime) as earliest
]
How about this?
[ search sourcetype="server_log"
| head 1
| eval eventtime = relative_time(_time, "-30m@m")
| append [
search sourcetype="server_log" "starting service(s)"
| head 1
| rename _time as eventtime
]
| stats max(eventtime) as earliest
]