There are plenty of ways to specify the exact time range or maximum range between two events in a search. But I need to specify a minimum.
My search is: index=antivirus INFECTION dedup 1 infection host | top host limit="10"
It correctly finds my top 10 infected hosts by distinct viral infection and host. However, I want to make sure there is over X amount of time between each event, because I want to catch Bob the Bittorrenter who gets a new infection every week, and not Sue the Surfer who downloads one bad file and gets 8 infections in less than minute.
I've tried building a timechart, "transaction infection,host maxspan=X", and specifying a bucket on _time, but everything seems to give me the opposite of what I need.
... View more