My index has logs for multiple Robot jobs so I added a search before the suggested string....

index=ee_rpa_uipath_platform_* AND OrganizationUnitID IN ($folder$) | sort OrganizationUnitID, RobotName, _time, Message | streamstats count reset_on_change=true by Message | where count > 2 | table OrganizationUnitID, User, RobotName, ProcessName, MachineName, _time, Message | sort -_time

...but now what I am finding is that ONLY one Robot has its logs being displayed once search complete i.e. whilst search is ongoing other logs for other Robots are displayed in panel but then disappear once search finishes.  Any ideas on why these logs for other Robots are removed from search?

I put the suggested search string in my searh

Transaction may be your friend.

index=ee_rpa_uipath_platform_* AND OrganizationUnitID IN ($folder$)
```| sort OrganizationUnitID, RobotName, _time, Message```
| eval robotmessage = OrganizationUnitID . ":" . RobotName . ":" . Message
| transaction robotmessage maxevents=3
| where closed_txn=true AND eventcount > 2

About the commented-out sort: because your end goal will always be some kind of tables grouped by OrganizationUnitID and RobotName, there is no point to sort against these two early; if your events come in "naturally", most likely you do not need to sort by _time.

So, if your filter criteria is also by org and robot name, then you can add those into the "BY" clause in the streamstats.

You may not need to use sort if you are also splitting by org+robot as the reset_on_change will reset only when org+robot+message changes.

There are probably being removed by the where command i.e. consecutive messages are not the same, and you are left with occurrences which appear 3 or more times (as requested).