Hi @dflynn235 Were you able to try the search I provided? Im happy to help work through this if theres an issue with this approach. @livehybrid wrote: Hi @dflynn235 Does the following do w...
See more...
Hi @dflynn235 Were you able to try the search I provided? Im happy to help work through this if theres an issue with this approach. @livehybrid wrote: Hi @dflynn235 Does the following do what you are looking for? | eval status=case(searchmatch("has gone down"),"Down",searchmatch("is up"),"Up",true(),"Unknown")
| rex "on interface (?<iface>[a-zA-Z0-9]+)"
| stats range(_time) as downTime latest(status) as latestStatus by iface
| where downTime>60 Here is a working example with sample data, just add the | where to limit as required. | makeresults count=1
| eval _raw="2025-05-07T07:20:40.482713-04:00 \"switch_name\" : 2025 May 7 07:20:40 EDT: %BFD-5-SESSION_STATE_DOWN: BFD session 1124073489 to neighbor \"IP Address\" on interface Vlan43 has gone down. Reason: Administratively Down."
| eval host="switch_name"
| append [| makeresults count=1
| eval _raw="2025-05-07T07:20:41.482771-04:00 \"switch_name\" : 2025 May 7 07:20:41 EDT: %BFD-5-SESSION_STATE_UP: BFD session 1124073489 to neighbor \"IP Address\" on interface Vlan43 is up."
| eval host="switch_name"]
| rex "^(?<timeStr>[^\s]+)"
| eval _time=strptime(timeStr,"%Y-%m-%dT%H:%M:%S.%6N%Z")
| eval status=case(searchmatch("has gone down"),"Down",searchmatch("is up"),"Up",true(),"Unknown")
| rex "on interface (?<iface>[a-zA-Z0-9]+)"
| stats range(_time) as downTime latest(status) as latestStatus by iface Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing