Usecase: Want to see surrounding logevents of a located event

[stbka]

Hi kibana team,

I have a frequently appearing use case where I am not sure how to realize with the current kibana instruments.

This is the case:
I search all logevents in the last 3 days for a error message. Notice that I am aggregating multiple servers and on each multiple instances in es/kibana, this means about 20 million events in 3 days. Then I find for example a NullPointerException of my webapplication. What I now want to do is see all logevents surrounding this NPE in the affected instance.

This means for me I usually have to choose 3 filters.
1 for the server or host
1 for the instance on that host
and
1 for the timepicker

But this is not possible as I want to do it. After selecting the first filter in the event table the complete query is redone with all selected filter. This means that the focus on the original logevent is lost.

What I could imagine to do is selecting multiple filters with following reexecution of the query.

Another issue is filtering the timestamp field. First of all it would be nice if the timestamp field would get a special care. What I mean is not filtering the timestamp as a String but filtering it as a timestamp (timestamp filter is always available). And to not just filter for that millisecond the event appeared add an option to do plus/minus a configured value. For Example: "filter for that timestamp +/- 5 seconds".

I know, this is probably quite a lot to do. But maybe some other people would benefit of this advantages, too.

Please comment if anything is sketchy.

Regards,
Thomas

[rashidkpc]

Duplicate of #275