Personally, I would do something like this:
host=xyz sourcetype="WinEventLog:System" (SourceName=USER32 AND Eventcode=1074) OR (SourceName=W32Time AND EventCode=35) | transaction maxspan=10m maxpause=5m keepevicted=0 startswith="EventCode=1074" endswith="EventCode=35"
What this does for you is it applies some constraints to your transaction processing. Meaning the transaction command will not look for instances where the total time between the shutdown and startup should never exceed 5 minutes (maxpause). Additionally, the transaction command will not look out past 10 minutes for matching pairs (maxspan). Obviously, you can play with the settings a bit to get what you really want.
Lastly, the keepevicted set to false basically throws any results you have, that don't match what you're look for, on the floor so they don't corrupt your statistics.
Now, you should be able to simply choose your time picker for the last day, last 4 hours etc...and get the results you're looking for...
Hope that helps.
... View more