Hello, 

I'd like to create a search for a multiple alerts on the same host. The idea would be to get results for each host that would see more than 10 malicious files alerts within let's say last 72hours from now.

I tried something like this: 

index=xyz sourcetype=xyz:123 

| bin span=1d createdDate

| eval createdDate_epoch=strptime(createdDate,"%Y-%m-%d")
| eval today_epoch=now()

`comment("#### ####")`
| eval days_lapsed=round((today_epoch - createdDate_epoch)/86400,0)
| where days_lapsed <=3

| stats earliest(createdDate) as createdDate ```values(file_name) as file_name values(filePath) as filePath values(agentComputerName) as agentComputerName``` values(category) as category values(siteName) as siteName values(file_hash) as file_hash values(signature) as signature dc(file_name) as number_of_alerts max(days_lapsed) as days_lapsed by agentComputerName

| where number_of_alerts >4


In my case that gives me that there were 5 alerts for malicious files (some of the files occurred more than once in these 3 days)

And all would be great if not the fact that I have only one date (createdDate), where I'd like to see all dates per each file and when the file was created. 

How do I need to modify my search to get where I need to be?
Thank you!