I have a first search queryA that returns a set of events. I would like to make a second search queryB using the earliest/latest event of queryA as timeframe for queryB . Then I would like merge results from both searches together. Is this even possible?
I know I can do queryA | stats earliest(_time) AS Earliest, latest(_time) AS Latest . to get the earliest/latest events in queryA
Now how do something like queryB | _time > Earliest AND _time < Latest ?
Finally, I would like to merge the results of 2) with queryA . Is that possible without running queryA again?
... View more