I have log entries looking as follows:

Nov 16 08:37:47 psdkxt05 MID=xxx005I;XID=;SID=;UID=;STM=2010-11-16 08:37:47,993;

Nov 16 08:33:08 psdkxt05 MID=xxx004E;XID=;SID=;UID=;STM=2010-11-16 08:33:08,824;

Nov 16 08:07:44 psdkxt05 MID=XXX005I;XID=;SID=;UID=;STM=2010-11-16 08:07:44,255;

Nov 16 08:03:03 psdkxt05 MID=XXX004E;XID=;SID=;UID=;STM=2010-11-16 08:03:03,120;

I have to calculate the time between 004E and 005I - but I do NOT want the calculation between 005I and 004E

I have following search:

host = psdkxt05 MID=XXX004E OR MID=XXX005I 
| EVAL PRC=SUBSTR(MID,1,3)
| EVAL ERR=SUBSTR(MID,5,3)
| SORT -_time
| delta _time as diff
| EVAL Outage(Minutes)=ROUND(diff/-60) 
| TABLE PRC ERR Outage(Minutes) _time

This gives following result:

 1. 1   11/16/10 8:37:47.000 AM XXX 05I
 2. 2   11/16/10 8:33:08.000 AM XXX 04E 5
 3. 3   11/16/10 8:07:44.000 AM XXX 05I 25
 4. 4   11/16/10 8:03:03.000 AM XXX    04E  5

How do I avoid the calculation in line 3?