Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

stats count by date

nk-1
Path Finder
‎10-03-2016 04:58 PM

earliest=10/1/2016:00:00:00 latest=10/2/2016:23:59:59 sourcetype=iis | stats count by date

date count
2016-10-01 500
2016-10-02 707
2016-10-03 205

earliest=10/1/2016:00:00:00 latest=10/2/2016:23:59:59 sourcetype=iis | eval date=strftime(_time, "%Y-%m-%d") | stats count by date

date count
2016-10-01 705
2016-10-02 707

Why does the first query return 3 rows, especially when 10/3/2016 is not a part of the search time range?

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-03-2016 05:10 PM

Date isn't a default field in Splunk, so it's pretty much the big unknown here, what those values being logged by IIS actually are/mean. Who knows.

If you want to see a count for the last few days technically you want to be using timechart. 

earliest=10/1/2016:00:00:00 latest=10/2/2016:23:59:59 sourcetype=iis | timechart span=1d count

Anyway, as to why there's a date value being returned that's outside of the timerange, my guess is that in those 205 events, for some semantic reason inside the events themselves, the "date" the event is talking about is actually in the (then) future.

One way to find out more is to run this: 

earliest=10/1/2016:00:00:00 latest=10/2/2016:23:59:59 sourcetype=iis | stats last(_raw) as rawtext count by date

And it will grab a sample of the rawtext for each of your three rows.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎10-03-2016 05:12 PM

It seems like there is a field called date in your event. The field that is used for _time is not the date field.

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-03-2016 05:10 PM

Date isn't a default field in Splunk, so it's pretty much the big unknown here, what those values being logged by IIS actually are/mean. Who knows.

If you want to see a count for the last few days technically you want to be using timechart. 

earliest=10/1/2016:00:00:00 latest=10/2/2016:23:59:59 sourcetype=iis | timechart span=1d count

Anyway, as to why there's a date value being returned that's outside of the timerange, my guess is that in those 205 events, for some semantic reason inside the events themselves, the "date" the event is talking about is actually in the (then) future.

One way to find out more is to run this: 

earliest=10/1/2016:00:00:00 latest=10/2/2016:23:59:59 sourcetype=iis | stats last(_raw) as rawtext count by date

And it will grab a sample of the rawtext for each of your three rows.

0 Karma
Reply
Solved! Jump to solution

nk-1
Path Finder
‎10-03-2016 05:30 PM

Thanks guys!
Yes, MS IIS defines a "date" field in its log format that becomes part of the Splunk event.
And that date/time appears to be in GMT (future).




Software: Microsoft Internet Information Services 8.5



Version: 1.0



Date: 2016-10-04 00:00:00



Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken




					
				
			
			
				
			
			
			
			
			
			
			
		

		
		
	

	
	


	


				
		
			
		
			
		
			
					
			
		
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					 

		
			
				

    
        
    

    


				
			
		
	 
 
 
 

				
		
	
	


		

	

		

			

	
		
			
					

	
			

				
		
			
		
			
				

					
						
	
			0
		

	Karma

					
				

			
			
		

	
		
    	
		

			
				
					
				
				
			
		

	
    
			

		

	

	

	

    

	

	


				
		
	
	


		

			

	
		
			
		
			
					
				
		
			
					
		
		Reply
	
				
		
			
					
				
		
	
	


		

	

		

			
		

			

	
		
			
					
				
		
	
	


		

	

		

			

	
		
			
					
				
		
			
					
				
		
	
	


		

			

	
		
			
					
		
	
				
		
			
					
		
	
				
		
	
	


		

	



		

	

	

	




			
		
    
            

                

            

        

	
		

		
	

	

	



		
			

	

		
	

	

		
	
		

			

	 
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			
			

	

		

			

	
		
			
			
				
			Solved! Jump to solution
		
			
		
		
			
		
	
	


		

			

	
		
			
	
	

		

			

				

					
	

				

			

		

	



		
	
	


		

	

		

			

	
		

			
		
			

		


	

	
			

	
	
	 
	
	
	
				
		

			
				
					
					
				
			
		

	
			
	
	
	
	
	


		

	

	

	

	

	

	

	
			
					
				
		

	


	

		
	
		

	
	


		

	

		

			

	
		
			
					

	
			
					sideview
					
				
		


				
		
	
	

	
		

			
		
			
	

	
			
				
		
		
			
		
		
		SplunkTrust
		
		
		
		
		
	
			
		

		
			
					
		

			SplunkTrust
		

	
				
		
	
		

	
	


		

			

	
		
			
					
		

			
    

	
		
		
		‎10-03-2016
	
		
		06:05 PM
	
	

	
	
	
	
	
	
	
	
	
	
	
	

		

	
				
		
	
	


		

	

		

			

	
		
			
					
		
	
				
		
			
					
		

	
		

			
				
					
					
						
Great!  😃  I wonder how many others have gotten tangled up in this. 

					
				
			
			
				
			
			
			
			
			
			
			
		

		
		
	

	
	


	


				
		
			
		
			
		
			
					
			
		
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					 

		
			
				

    
        
    

    


				
			
		
	 
 
 
 

				
		
	
	


		

	

		

			

	
		
			
					

	
			

				
		
			
		
			
				

					
						
	
			0
		

	Karma

					
				

			
			
		

	
		
    	
		

			
				
					
				
				
			
		

	
    
			

		

	

	

	

    

	

	


				
		
	
	


		

			

	
		
			
		
			
					
				
		
			
					
		
		Reply
	
				
		
			
					
				
		
	
	


		

	

		

			
		

			

	
		
			
					
				
		
	
	


		

	

		

			

	
		
			
					
				
		
			
					
				
		
	
	


		

			

	
		
			
					
		
	
				
		
			
					
		
	
				
		
	
	


		

	



		

	

	

	




			
		
    
            

                

            

        

	
		

		
	

	

	



		
		
	


	

	




			
				


	
			
				

					
						

							
		

			

	
			
				
					
				
				
			
		


		

	
							

								
								
							

							

								

	
									
								


							

						

					
				

			
		
	


			
		

	

	

				
		
		
			
			
			
		
		
		
	
	


		

			

	
		
			




    

        Got questions? Get answers!
    

  
        

            

                
 
                    
 
                         
                            Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!


                          
                    

                

             

        
 
                


		
			




    

        Meet up IRL or virtually!
    

  
        

            

                
 
                    
 
                         
                            Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.


                          
                    

                

             

        
 
                


		
			
		
			



    

        

            Get Updates on the Splunk Community!
        

        

                

                    

                        

                        
                            

                                       Index This | What travels the world but is also stuck in place?

                            
                        
                        

                        

                                    April 2026 Edition 
Hayyy Splunk Education Enthusiasts and the Eternally Curious!  
We’re back with this ...
                        

                    

                

                

                    

                        

                        
                            

                                       Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

                            
                        
                        

                        

                                    Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...
                        

                    

                

                

                    

                        

                        
                            

                                       Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

                            
                        
                        

                        

                                    As data volumes continue to grow and environments become more distributed, managing and optimizing data ...