One way to do this is is to use transactions to join started and ended events. I assume you only get one pair per clientid.
earliest="-5d" tag="aa" sourcetype="bb" "Client started." OR "Client ended."
|rex "Notification Client - (?<clientid>[S]+)]"
|rex "Client (?<clientstatus>[S]+)."
| transcation clientid
| eval status=case(clientstatus=="started" AND clientstatus=="ended",0, clientstatus=="started",1, clientstatus=="ended",0)
| timechart last(status) by clientid
If you get more than one start/end pair per clientid, you need to add startswith, endswith and keeporphans. eg.
| transcation clientid startswith="ended" endswith="started" keeporphans
Note I have swaped the start and end terms rather than sort the data by time.
... View more