So I have 2 different source types which I can join using DEVICE field. But I wan to join records if and only if time difference if less than 3 seconds between them. (If multiple records than take latest one).
Than I want to show records only if some field in one record contain some value but in other record it doesn't contain that value.
I have achieved 2nd part using following query but I want with time condition as well.
index="index1" sourcetype="source1" | join DEVICE [search index=index1 sourcetype=source2 STATE=state1 OR STATE=state2 ] | eval state1=if(like(STATE, "%state1%"), 1, 0) | eval state1Control = if(like(CONTROL, "%state1%"), 1, 0) | eval state2=if(like(STATE, "%state2%"), 1, 0) | eval state2Control = if(like(CONTROL, "%state2%"), 1, 0) | where state1!=state1Control AND state2!=state2Control | table _time, DEVICE, STATE, CONTROL
... View more