My site has customers that connect periodically throughout the day. I am trying to build a table/array for the uptime of said customer on view that I monitor throughout the day and then a timechart search for the connected customers. The customers don't normally stay connected for longer than 24 hours but the message that is generated when someone connects is:

%BGP-5-ADJCHANGE: neighbor [IP address] Up

%BGP-5-ADJCHANGE: neighbor [IP address] Down BGP Notification sent

I have field extractions where neighbor=[IP address] and state_to=up/down

I got kind of close for the table (it's usable) with:
ADJCHANGE | contingency neighbor state_to
... but I don't know how to filter the results to only show the ones where the count of state_to Up>Down

As for the timeline, I am stuck. I am trying to have a line graph with who connected (uptime) throughout the day/week. I simply don't understand which command I need to use as I've never coded something before (I'm just a network plumber). I'm pretty certain I need what I have below, but for the timeline/(sparkline?) portion of the command, I'm stuck. It graphs the sparkline but only graphs the events (syslog), not the duration between the events. Which again, is usable but not what I want.

ADJCHANGE | transaction neighbor startswith=(state_to="Up") endswith=(state_to="Down") | makecontinuous _time span=10m | stats sparkline count, sum(duration) by neighbor | sort sum(duration) desc
What I have so far