This is my query and I have some challenges in the log. The thing is my daily job will start at 11 PM. If the job runs successfully it will complete before 11:30. So I set status as success. But in case of job time out the job time out at next day at 1:30 AM. Again, the job started on the next day 11:PM and ran successfully, but now I have failure and success in same day. How can I check the event and set status as a failure?

index=xx* app_name="xxx" OR cf_app_name="yyy*" OR app_name="ccc"
|bucket _time span=1d |eval dayweek=strftime(_time,"%H")|convert timeformat="%m-%d-%y" ctime(_time) as c_time|eval Job = case(like(msg, "%first%"), "first Job", like(msg, "%second%"), "second Job", like(msg, "%third%"), "third job",like(msg, "%fourth%"), "fourth job")| stats count(eval(like(msg, "%All feed is completed%") OR like(msg, "%Success:%") OR like(msg, "%Success: %") OR like(msg, "%Finished success%"))) as Successcount count(eval(like(msg, "%Fatal Error: %") OR like(msg, "%Fatal Error:%") OR like(msg, "%Job raised exception%") AND like(msg, "% job error%"))) as failurecount by Job c_time dayweek|eval status=case((Job="fourth job") AND (dayweek=="Saturday" OR dayweek=="Sunday"),"NA",Successcount>0,"Success",failurecount>0,"Failure")| xyseries Job c_time status