Hi everyone. I have this query which works really well. It is returning an identifier and list of descriptions, dates and sources. However I'd like to be able to find the range between the min and max dates after the transaction. I then want to only output results where the range is greater than 2 hours for example.
I think mvlist is the solution but I can't find any decent examples of its use.
index=dalprod Action=PublishedDefaultRule Date Id Source |
eval earliestDate = relative_time(now(), "-1d@d") |
eval latestDate = relative_time(now(), "@d+7d") |
eval Date = strptime(Date, "%d/%m/%Y %H:%M:%S") |
where earliestDate < Date AND Date < latestDate |
eval Date = strftime(Date ,"%d/%m/%Y %H:%M:%S") |
fields Id Date GroupId Description SportId Source |
join Id [search index=dalprod Action=DALPublish Source SportId NOT Source=Gambit] |
dedup Date GroupId |
eventstats count by GroupId |
where count>=2 |
transaction GroupId |
table GroupId Date Source Description SportId
Many thanks. Matt