Would this simple search do?  Assuming threatRebootRequired is reported every 5 minutes,

index=my_index sourcetype=my_sourcetype isDecommissioned="false" isUninstalled="false"
| bin span=5m _time
| stats min(_time) as start max(_time) as end by threatRebootRequired
| where threatRebootRequired == "true" and now() - end < 300 and now() - start > 2*86400

The above should give you those needing reboot for > 2 days.  To get those needing reboot for > 2 business days, add a week day filter, like

index=my_index sourcetype=my_sourcetype isDecommissioned="false" isUninstalled="false"
| bin span=5m _time
| stats min(_time) as start max(_time) as end by threatRebootRequired
| where threatRebootRequired == "true" and now() - end < 300 and now() - start > 2*86400 and startdow >0 and startdow < 6

Hi @yuanliu ,

I worked on the query you shared, but I am getting data as below, I would like to sort by computerName and I am using span=1d here. 

When I add the last part of the query (where threatRebootRequired == "true" and now() - end < 300 and now() - start > 2*86400) I do not get any results.

Please find the attached screenshot

Before addressing why your filter came out empty, I need to reveal a bigger problem with my previous code: stats should group by _time bucket as well as by host.

Now to the reason why the filter came empty, even though your end time is 6 days after start time (which is not what it is meant to measure because of my mistake): that "now() - end < 300" needs to be adjusted according to the collection period of threatRebootRequired as well as your time bucket.  For the simplistic strategy to be correct, the collection period should be equal to or larger than the time bucket which you set to be 1d.  Assuming the two are equal, that expression should be adjusted to "now() - end < 86400", i.e., that the last event at this state came in less than 1d ago.  If collection period is longer, adjust 86400 to that period to match the last collected event.  If collection period is shorter than time bucket, you can use latest(threatRebootRequired) as a second filter.  But that kind of ruins the simplicity.

Taking these two, you can try this

index=my_index sourcetype=my_sourcetype isDecommissioned="false" isUninstalled="false"
| bin span=1d _time
| stats min(_time) as start max(_time) as end by host _time threatRebootRequired
| where threatRebootRequired == "true" and now() - end < 86400 and now() - start > 2*86400

@yuanliu 

I have attached the screenshot of (a single host, as an example) for the result I am getting if I use the below query, If I had the rest of the query, I do not get any results. We are getting the data once per day.

index=my_index sourcetype=my_sourcetype isDecommissioned="false" isUninstalled="false"
| bin span=1d _time
| stats min(_time) as start max(_time) as end by host _time threatRebootRequired
| where threatRebootRequired == "true"

@vgiri8 The screenshot reveals a different problem by setting _time bucket to just 1 day.  The bucket should greater than the amount of the test boundary.  With this in mind, could you test the simpler form, without group by _time for now?

index=my_index sourcetype=my_sourcetype isDecommissioned="false" isUninstalled="false"
| stats min(_time) as start max(_time) as end by threatRebootRequired
| where threatRebootRequired == "true" and now() - end < 86400 and now() - start > 2*86400

Hi @yuanliu,

I tried as you mentioned but the number host is now only one, compared to many host in the last query. Please find attached screenshot of current output. 
Time range is took is same for both old and new query(without the bin _time)