Date="8 May 2020" Link="X" Status="UP"
Date="9 May 2020" Link="Y" Status="DOWN"
Date="10 May 2020" Link="X" Status="UP"
Date="11 May 2020" Link="X" Status="DOWN"
Date="12 May 2020" Link="Y" Status="UP"
Date="13 May 2020" Link="X" Status="DOWN"
I am getting logs on daily basis in above format and data . I am looking to find field Link whose Status went down but never came up and on which date it went DOWN . For example in above case , Link X went down on 11 May but log on 13 May shows its still down so it went down on 11th and is down since 2 days . Following query works but issue is streamstats capture 10000 events by default so it doesn't get data for all links as logs are more than that .
|makeresults
| eval _raw="Date=\"8 May 2020\" Link=\"X\" Status=\"UP\"
Date=\"9 May 2020\" Link=\"Y\" Status=\"DOWN\"
Date=\"10 May 2020\" Link=\"X\" Status=\"UP\"
Date=\"11 May 2020\" Link=\"X\" Status=\"DOWN\"
Date=\"12 May 2020\" Link=\"Y\" Status=\"UP\"
Date=\"13 May 2020\" Link=\"X\" Status=\"DOWN\""
| multikv noheader=t
| kv
| table Date Link Status
| eval Date=strptime(Date,"%d %B %Y")
| fieldformat Date=strftime(Date,"%F")
| sort Link Date
| streamstats current=f last(Status) as prev by Link
| streamstats count(eval(Status!=prev)) as changed by Link
| eventstats last(changed) as session by Link
| where changed==session
| stats min(Date) as start max(Date) as end values(Status) as Status by session Link
| where Status="DOWN"
| convert ctime(start) ctime(end) timeformat="%F"
