Re: include date in request - stats count - Splunk Community

Splunk Search

Hello,
I have a problem.
This is my request, it works well.

    index=wineventlog EventID=4624 host=wipr625a OR host=wipr625b OR host=wipr626a OR host=wipr626b user!="DWM*"
   | stats count as "nombre de connexions" by user, host, name

I would like to include the date in my results and that's how I modified my request, only with that request my results are wrong, did I forget something?

 index=wineventlog EventID=4624 host=wipr625a OR host=wipr625b OR host=wipr626a OR host=wipr626b user!="DWM*"
| eval date=strftime(_time, "%d/%m/%Y %H:%M")
| stats count as "nombre de connexions" by user, date, host, name

thanks !

The search statement is correct. Please tell us specifically about the problem.

Is the problem that the number of results is different?
Did you check the displayed error?

https://answers.splunk.com/answers/506621/unknown-error-for-peer-xxx-search-results-might-be.html

How about the following search statement?

| bin span=1m _time
| stats count as "nombre de connexions" by user, _time, host, name

Hello @HiroshiSatoh ,

see my results without date :

and my results when i include date :

Do you see the difference?

116 KB

78 KB

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Thursday, July 9, 2026 | 11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...