For security reasons we have had to disable as much tracking as possible, so no users can be identified. This means our events aren’t linked together automatically. We have an issue now where we are logging messages and warnings, and would like to be able to search these anonymous records to see which warnings occurred during the time a give message was logged.
Is it possible to create search variables or use a subquery? What i’m trying to achieve is to search for event.type: default with a matching title, and find all the matching event.type: error, where the error timestamp matches the timestamp of the message
Something like:
(event.type:default AND title:“some tile”) OR (event.type:error AND event.timestamp:$0.timestamp)
where $0 corresponds to the left side of the OR.