hello,
i have this query:
| tstats count as daily_count summariesonly=true allow_old_summaries=true from datamodel="events_prod"
by events.eventtype events.tail_id sourcetype _time span=1d
| eval day=strftime(_time, "%Y-%m-%d")
| multireport [ table daily_count, events.eventtype, day, events.tail_id, sourcetype]
[ stats values(events.eventtype) as events.eventtype, values(day) as day,
values(events.tail_id) as events.tail_id
| mvexpand events.eventtype | mvexpand day | mvexpand events.tail_id | eval daily_count=0 ]
| eventstats first(sourcetype) as sourcetype by events.eventtype
| stats first(daily_count) as daily_count by events.eventtype, day, events.tail_id, sourcetype
|rename day as _time
| streamstats sum(daily_count) as general by events.tail_id sourcetype time_window=30d | where general!=0 | streamstats sum(daily_count) as monthly_count by events.eventtype events.tail_id time_window=30d
| table events.eventtype, monthly_count
which calculate number of events for each eventType for period of 30 days . also its needed to add to the calculation days with no events so i've added to the query days with number of events=0
I want to clear from the calculation raws that there is no events from their sourcetype and their tail_id for the last 30 days and clear the raws that their daily calculation = 0 in the empty time period
what should i add to my query ?
thanks
tstats
needs prestats=t
option.
didnt understand to which part of my post it is referring to ...