I am using this query "index=oswin* source="WinEventLog:System" (EventCode=6005 OR EventCode=1074 OR EventCode=6006) | table _time dvc EventCode | transaction dvc"
6005=eve
6006=event service stop
1074=server reboot
If event id 6006 at time x occurs and before and after 5 minutes of x if 6005 or 1074 occur then i dont need the output, for this i used transaction to count the duration between the 3 eventcodes and getting the output, however when in a day 2 or more reboots are done than duration i get is large as it calculates difference of between the two reboots of the same dvc.
I need separate grouping of the two reboots done.
Sample ouput attached
