Hi all,
I don't know if it's possible within the DSL query capabilities but would love to get some ideas or answers if it is.
I want to write a query that matches two different documents within a time frame of, say, 15 minutes.
The analogy is, looking for a causal relationship that wrapped in a finite time frame. "If P is true, then Q is also true".
I'll give a simple example from the world I'm coming from so I won't ruin the analogy:
I want to find two documents that comes in a gap of 15 minutes, that obey the following demands:
- "Name": "Malicious Command Line"
- "Name": "Malicious File Created"
Please notice that it's not a filter query of a time range relative to now-15m but any 15 minutes in the past 24 hours for example.
I hope I described properly my problem, and hope even better that there's a solution for such a problem.
Thanks!