Hi @gcusello The following solution is working for me: | rex "(?<TimeStamp>\d+-\d+-\d+ \d+:\d+:\d+\.\d+ \+02:00)\s+[^ ]"
| fields - _time
| eval _time=strptime(TimeStamp,"%Y-%m-%d %H:%M:%S.%3N %:z")
| sort -_time
| eval ret_event = split(_raw, ":")
| eval owcs_msg = mvindex(ret_event,4)
| eval owcs_msg_splited = split(owcs_msg, ";")
| eval owcs_msg_id = mvindex(owcs_msg_splited,0)
| eval owcs_msg_station = mvindex(owcs_msg_splited,1)
| eval owcs_msg_status = mvindex(owcs_msg_splited,2)
| where owcs_msg_status = 57 OR owcs_msg_status = 59
| transaction owcs_msg_station endswith=owcs_msg_status=59 keepevicted=true
| eval counter=1
| accum counter as Row
| mvexpand TimeStamp
| stats min(_time) AS NotAvailableTimeStamp max(_time) AS AvailableTimeStamp BY owcs_msg_station Row field1
| eval NotAvailableTimeStamp=strftime(NotAvailableTimeStamp,"%Y-%m-%d %H:%M:%S.%3N"), AvailableTimeStamp=strftime(AvailableTimeStamp,"%Y-%m-%d %H:%M:%S.%3N")
| eval ts1=substr(field1,0,30)
| eval _time1=strptime(ts1,"%Y-%m-%d %H:%M:%S.%3N %:z")
| eval owcs_msg_splited1 = split(field1, ";")
| eval owcs_msg_station1 = mvindex(owcs_msg_splited1,1)
| eval owcs_msg_status1 = mvindex(owcs_msg_splited1,2)
| stats min(_time1) AS NotAvailableTimeStamp max(_time1) AS AvailableTimeStamp by owcs_msg_station1 Row
| eval NotAvailableTimeStamp=strftime(NotAvailableTimeStamp,"%Y-%m-%d %H:%M:%S.%3N"), AvailableTimeStamp=strftime(AvailableTimeStamp,"%Y-%m-%d %H:%M:%S.%3N")
... View more