It’s completely possible that I’m going about this all wrong and if so please help me understand the best/most efficient way to handle it.
Basically I’m trying I’m trying to find a way to search from a specific source If EventID:B occurred in xTime after EventID:A occurred.
Also a side question. Is it possible to view surrounding messages from EventID:x between Source:A and Source:B to show the difference? A little back story to help understand why this would be useful for us currently: We are having some random lockup issues between a couple severs and can’t pin down what is causing it. So it if was possible to see surrounding message of a specific EventID:x from Source:a and Source:B hopefully the 1 or 2 things that show up would be the same on both to lead us down the correct path.
Thanks for any help that can be provide. I’ll go ahead and apologize for my lack of knowledge of graylog.