I have an AWS CW log of multiple camera devices. These device can go offline and comeback online and report this to the log. I want to alert when a camera goes offline but does not come back online with 60 seconds.

I have the following query but it does not work if camera does not comeback online as the lastOnlineTime timestamp is empty. Can I test for this in CWL insights query ? There is no IF or NULL operators in CWL query language. How can account for no/empty online messages ?

fields @timestamp, @message, @logStream as log_id
| filter @message like /Device communication error/ or @message like /Device communication established/
| parse @message "Device communication error" as deviceId_offline
| parse @message "*Device communication established" as deviceId_online
| parse @message /.*CameraDecoder \((?<camera_name>[^\)]+)\).*/
| stats min(@timestamp) as firstOfflineTime, max(@timestamp) as lastOnlineTime by camera_name
| filter (lastOnlineTime - firstOfflineTime)  > 60
| sort firstOfflineTime desc

A typical stream in the log would be something like the snip below

but sometimes we dont get a re-established message at all, and this is giving the query the issue.

2024-11-15 13:10:11.234+00:00 [   167] WARNING    - bdab-b307-4df3-8596  CameraDecoder (testc00013.test0001ev) - Camera 1  Device communication error (NoDataException). Error: GetMediaDataBlock returned no data.

2024-11-15 13:10:18.602+00:00 [   167] INFO       - bdab-b307-4df3-8596  CameraDecoder (testc00013.test0001ev) - Camera 1  Device communication established