Because there is no _time.
index=opennms nodelabel="GQML2-WANRTC001" "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown"
| rex field=eventuei "uei.opennms.org/nodes/node(?<State>.+)"
| transaction nodelabel startswith=eval(State="Down") endswith=eval(State="Up") keepevicted=true
| eval downtime=if(closed_txn=1,duration,null)
| eval downtime=tostring(downtime, "duration")
| fillnull value="" downtime
| eval Status=if(closed_txn=1,"Up","Down")
| table nodelabel,Status,downtime
... View more