The context: We have an integration between a tool and AD using agents. Every so often, the tool reports that the agent disconnected, and then about 5-20 minutes later, it'll say the agent reconnected.

I already have a search that uses transaction to get me what I need in general, but it's not quite what I'm looking for. The draft:

index="connector" eventType="ad.agent.connect"
| rex field=target "\"displayName\": \"(?<agent>[^\"]+)\".+"
| transaction agent startswith="ad.agent.disconnected" endswith="ad.agent.reconnected"
| table _time, displayMessage, agent
| sort _time

What I actually want: Only events that do not have an event "ad.agent.reconnected" within 30 minutes of the "ad.agent.disconnected" event.

maxspan isn't doing it for me; I need something more like minspan, or invert=true, or something. The agent name isn't unique enough to go "if you never see this field again".

Help?