I have log which has time stamp, tag, and i calculating how many time has been occurred per day. i want to get results if the events has been continuously happened on last 4 days but its returns for last 5 days. As we see below 21st has no data but still it reported as time range selected was last 4 days.
index=* | eval epochtime=strptime(Log_Message_Time, "%m/%d/%Y %H:%M:%S")
| eval Event_Date=strftime(epochtime, "%d-%m-%Y")
| stats delim="," values(Tag) AS _Tag values(Buffer_Value) AS Buffer_Value values(diff) AS diff count AS Per_Day_Occurance BY Event_Date host
| mvexpand Buffer_Value
| mvcombine Log_Message_Tag
| rename host AS Server
| eventstats count AS Days BY Server
| search Days>=4
| join type=left Server [|inputlookup pg_ld_production_servers | table Server Site]
| table Site Server Event_Date Log_Message_Tag Per_Day_Occurance diff
| sort Event_Date
| rename Log_Message_Tag AS "Historian Tag" Event_Date AS "Event Date"
| | host | event date | tag | Occured per day | | | | | |
| | BELL-MESAPPBC1 | 20-05-2021 | tag1,tag2,tag3 | 2 | | | | | |
| 2 | host | 22-05-2021 | tag2,tag4,tag5,tag1 | 3 | | | | | |
| 3 | host | 23-05-2021 | tag1 | 4 | | | | | |
| 4 | host | 24-05-2021 | tag2,tag3 | 5 | | | | | |
| | | | | | | | | | |
