Hello
When I run the search below, it returns random results!
Sometimes, 1 event is displayed and a few minutes after there is no events returned
And sometimes, it's the same event returned excepted the _time field of the vent which is not the same for even so the same hostname!
[| inputlookup host.csv
| table host
| rename host as USERNAME ] `wire` earliest=-30d latest=now
| fields USERNAME SNR RSSI
| eval USERNAME=upper(USERNAME)
| eval time=strftime(_time,"%Y-%m-%d %H:%M")
| search USERNAME=NTTA*
| lookup all.csv HOSTNAME as USERNAME output SITE DESCRIPTION_MODEL BUILDING_CODE ROOM
| stats last(time) as "Event time" last(RSSI) as RSSI, last(SNR) as SNR, last(DESCRIPTION_MODEL) as Model, last(SITE) as Site, last(BUILDING_CODE) as Building last(ROOM) as Room by USERNAME
| where (RSSI >= "-72" AND RSSI <= "-77") AND SNR <= "15"
| rename USERNAME as Hostname
| table "Event time" Hostname RSSI SNR Model Site Building Room
How explain this please??
I wonder if the issue is not in | where (RSSI >="-72" AND RSSI <="-77") AND SNR <"15" ?