I am currently working on creating an alert to notify if the status of a switch is disable for more than 10 min, common scenario is that switches disconnect for a min and would be back to running, we would only like to target the ones whose status remains disconnected for more than 10 min.
Below is the sample log:
Apr 18 07:46:25 hostname tag=abc CEF:0Agent status changed|Status of agent "name" at IP "ip address" (id=10,0) changed from running to disabled
Apr 11 07:50:10 hostname tag=abc CEF:0Agent status changed|Status of agent "name" at IP "ip address" (id=10,0) changed from disabled to Running
| rex "changed from (?<transition>.*)"
| streamstats count(eval(transition="disabled to Running")) AS sessionID BY host
| stats first(_time) AS _time count dc(transition) AS transitionCount values(transition) AS transition BY sessionID host
| where transitionCount==1 AND transition="running to disabled" AND _time <= relative_time(now(), "-10m")