host Status=Offline OR Status=Online | search target="" | selfjoin Status | sort _time,target | table _time,target,Status,src,host | dedup 1 Status,target | rename target as Agent_Host | rename Status as Current_Status | rename src as Source_IP
the machines go offline then come back on, need to monitor for the duration of the downtime as well as maybe alert when the duration exceeds an hour
thanks in advance
... View more