You can also do it with streamstats with the last two lines of this example - note the field name Log_text, with the _ in the middle, as the reset_after statement doesn't like spaces in the field nam...
See more...
You can also do it with streamstats with the last two lines of this example - note the field name Log_text, with the _ in the middle, as the reset_after statement doesn't like spaces in the field name. | makeresults format=csv data="Row,Time,Log_text
1,7:00:00am,connected
2,7:30:50am,disconnected
3,7:31:30am,connected
4,8:00:10am,disconnected
5,8:10:30am,disconnected"
| eval _time=strptime(Time, "%H:%M:%S")
| sort - _time
| streamstats time_window=120s reset_after="("Log_text=\"disconnected\"")" count
| where count=1 AND Log_text="disconnected"