Try this alternative query. index=th (Stage="UP" OR Stage="DOWN" )
| dedup host_name
| where (lastStatus="DOWN" AND _time<relative_time(now(),"-30m")) If you still do not get the desired results, then run the query one command at a time until the results become undesirable. The latest command is the one we would need to focus on.
... View more