Hi, I tried to ran for a week but result populated for only 5 days and last 2 days populated as 0.

This is the query which I'm using. Please let me know if I'm missing something.

index="foo" sourcetype="xyz" user!="abc" method=POST (url="*search*aspx*" AND code!=302 AND code!=304 AND code!=401 AND code!=403 AND code!=0) [search index="foo" method_name=pqr message="*Response Time for method pqr*" | fields uniqid]
| eval hour=strftime(_time,"%H") | where hour >=7 AND hour <=19
| timechart span=1d count(eval(time_took)) as Total , count(eval(time_took<2000)) as Success, count(eval(time_took>2000)) as misses | sort by "_time" desc

If you run below query for last 30 days, how many records do you get?

index="foo" method_name=pqr message="*Response Time for method pqr*" | stats count by uniqid

Also, give this a try

(index="foo" sourcetype="xyz" user!="abc" method=POST (url="*search*aspx*" AND code!=302 AND code!=304 AND code!=401 AND code!=403 AND code!=0)) OR ( index="foo" method_name=pqr message="*Response Time for method pqr*" )
| fields _time uniqid time_took
| eval hour=strftime(_time,"%H") | where NOT (method=POST AND hour <7 AND hour >19)
| bucket span=1d _time | stats dc(method) as methods count(time_took) as Total count(eval(time_took<2000)) as Success, count(eval(time_took>2000)) as misses by _time uniqid | where methods=2
| timechart span=1d sum(Total) as Total , sum(Success) as Success, sum(misses) as misses | sort by "_time" desc

Hi, Yes. Job inspector shows the below message.

The following messages were returned by the search subsystem:

info : [subsearch]: Subsearch produced 10000 results, truncating to maxout [subsearch_maxout] 10000.

So this is why you are getting different results. Essentially, the subquery is being truncated before finding uniqids prior to sometime on 16th. You could try increasing the limit (limits.conf) or you may need to refactor your search to avoid this truncation.