Hi @Johnstone234, in this case, you have to recognize if in the monitoring period (e.g. every five minutes), you have only the event of disconnection but not the following event or connection, so plese, try something like this (adapt my hint because I cannot test it): index="XXXlogs" sourcetype="systemlog" eventid="*connectserver" devicename="device1" logdescription="Agent*" | eval Status=if(like(logdescription,"%Unable to reach Agent%"),"Down","Up") | stats dc(Status) AS dc_status values(Status) AS Status count by win_server, event_id | where dc_status=1 AND Status="Up" Ciao. Giuseppe ... View more