https://community.splunk.com/t5/Splunk-Search/stats-count-by-date/m-p/228600#M67621 <P>It seems like there is a field called <CODE>date</CODE> in your event. The field that is used for <CODE>_time</CODE> is not the <CODE>date</CODE> field. </P> Tue, 04 Oct 2016 00:12:44 GMT sundareshr 2016-10-04T00:12:44Z https://community.splunk.com/t5/Splunk-Search/stats-count-by-date/m-p/228598#M67619 <P>earliest=10/1/2016:00:00:00 latest=10/2/2016:23:59:59 sourcetype=iis | stats count by date</P> <P>date count<BR /> 2016-10-01 500<BR /> 2016-10-02 707<BR /> 2016-10-03 205 </P> <P>earliest=10/1/2016:00:00:00 latest=10/2/2016:23:59:59 sourcetype=iis | eval date=strftime(_time, "%Y-%m-%d") | stats count by date</P> <P>date count<BR /> 2016-10-01 705<BR /> 2016-10-02 707 </P> <P>Why does the first query return 3 rows, especially when 10/3/2016 is not a part of the search time range?</P> Mon, 03 Oct 2016 23:58:10 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-by-date/m-p/228598#M67619 nk-1 2016-10-03T23:58:10Z https://community.splunk.com/t5/Splunk-Search/stats-count-by-date/m-p/228599#M67620 <P>Date isn't a default field in Splunk, so it's pretty much the big unknown here, what those values being logged by IIS actually are/mean. Who knows. </P> <P>If you want to see a count for the last few days technically you want to be using <CODE>timechart</CODE>. </P> <PRE><CODE>earliest=10/1/2016:00:00:00 latest=10/2/2016:23:59:59 sourcetype=iis | timechart span=1d count </CODE></PRE> <P>Anyway, as to why there's a date value being returned that's outside of the timerange, my guess is that in those 205 events, for some semantic reason inside the events themselves, the "date" the event is talking about is actually in the (then) future. </P> <P>One way to find out more is to run this: </P> <PRE><CODE>earliest=10/1/2016:00:00:00 latest=10/2/2016:23:59:59 sourcetype=iis | stats last(_raw) as rawtext count by date </CODE></PRE> <P>And it will grab a sample of the rawtext for each of your three rows. </P> Tue, 04 Oct 2016 00:10:16 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-by-date/m-p/228599#M67620 sideview 2016-10-04T00:10:16Z https://community.splunk.com/t5/Splunk-Search/stats-count-by-date/m-p/228600#M67621 <P>It seems like there is a field called <CODE>date</CODE> in your event. The field that is used for <CODE>_time</CODE> is not the <CODE>date</CODE> field. </P> Tue, 04 Oct 2016 00:12:44 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-by-date/m-p/228600#M67621 sundareshr 2016-10-04T00:12:44Z https://community.splunk.com/t5/Splunk-Search/stats-count-by-date/m-p/228601#M67622 <P>Thanks guys!<BR /> Yes, MS IIS defines a "date" field in its log format that becomes part of the Splunk event.<BR /> And that date/time appears to be in GMT (future).<BR /> <PRE></PRE></P> <H1>Software: Microsoft Internet Information Services 8.5</H1> <H1>Version: 1.0</H1> <H1>Date: 2016-10-04 00:00:00</H1> <H1>Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken</H1> <P></P> Tue, 04 Oct 2016 00:30:15 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-by-date/m-p/228601#M67622 nk-1 2016-10-04T00:30:15Z https://community.splunk.com/t5/Splunk-Search/stats-count-by-date/m-p/228602#M67623 <P>Great! <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span> I wonder how many others have gotten tangled up in this. </P> Tue, 04 Oct 2016 01:05:45 GMT https://community.splunk.com/t5/Splunk-Search/stats-count-by-date/m-p/228602#M67623 sideview 2016-10-04T01:05:45Z