hello,
i have this query:
| tstats count as daily_count summariesonly=true allow_old_summaries=true from datamodel="events_prod"
    by events.eventtype events.tail_id sourcetype _time span=1d
| eval day=strftime(_time, "%Y-%m-%d")
    | multireport  [ table daily_count, events.eventtype, day, events.tail_id, sourcetype]
    [ stats values(events.eventtype) as events.eventtype, values(day) as day,
    values(events.tail_id) as events.tail_id
    | mvexpand events.eventtype   | mvexpand day | mvexpand events.tail_id | eval daily_count=0 ]
    | eventstats first(sourcetype) as sourcetype by events.eventtype
    | stats first(daily_count) as daily_count by events.eventtype, day, events.tail_id, sourcetype
|rename day as _time
 | streamstats sum(daily_count) as general by events.tail_id sourcetype time_window=30d  | where general!=0  | streamstats sum(daily_count) as monthly_count by events.eventtype events.tail_id time_window=30d
| table events.eventtype, monthly_count  
which calculate number of events for each eventType for period of 30 days . also its needed to add to the calculation days with no events so i've added to the query days with number of events=0
I want to clear from the calculation raws that there is no events from their sourcetype and their tail_id for the last 30 days and clear the raws that their daily calculation = 0 in the empty time period
what should i add to my query ?
thanks
tstats needs prestats=t option.
didnt understand to which part of my post it is referring to ...
