This works really well and I have monkeyed around with the data giving all sorts of time stamps and it works. Can you take me through the steps and help me understand how the query breaks down this data?

Best way to understand the query is the just apply is part by part to your base search and see the result (at least for small result set).

Get your result and sort in ascending order of time

Your base search | sort 0 _time

For each row, get the previous event's timestamp and DeviceValue

streamstats current=f window=1 values(DeviceValue) as prev values(_time) as prevtime

Filter first events (as that is the first status), calculate duration between current event and prev event.

 | where isnotnull(prev) | eval duration=_time-prevtime 

The field prev contains the previous status and duration contains how long the previous status was valid, so generate your summary using stats, use user friendly value for prev, format and display.

 | stats sum(duration) as duration by prev | eval Status=if(prev=0,"Not Home","Home") | eval Duration=tostring(duration,"duration")| table Status Duration

Thank you for your reply. I am not sure if this is going to work for this use case. If I understand the query above it counts the number of events that are raised to the value 100 and then evaluates the sum of those as minutes at home and provides a table of the amount of time?

The only problem is that the times listed in the sample data are not for every minute and can be variable. So I need to calculate the time inbetween the beginning of the 100 events and the beginning of the next 0 event. and do that for every time I enter and leave the house.

Any idea of how this could be done? I would think we will need to use the timestamp values somehow in the calculation. But am confused about the search options available to me to accomplish this.

I appreciate your help.