Based on the test data you're giving I had to fill some blanks, but if you want to detect a change only, the following could suffice: | makeresults format=csv data="
_time,host,qid
2022-04-19,host_a,105015
2022-04-26,host_a,70053
2022-04-19,host_b,38307
2022-04-26,host_b,105053
2022-04-19,host_c,70053
2022-04-26,host_c,70053"
| stats dc(qid) as qid_count, last(qid) as last_qid by host
| where qid_count>1 AND (last_qid="38307" OR last_qid="105053") So the "stats dc" counts unique qid values by host, where there's more than 1 value it has changed. If you want to detect its last attempt has failed" the last_qid field could be compared to known fail states.
... View more