earliest=10/1/2016:00:00:00 latest=10/2/2016:23:59:59 sourcetype=iis | stats count by date
date count
2016-10-01 500
2016-10-02 707
2016-10-03 205
earliest=10/1/2016:00:00:00 latest=10/2/2016:23:59:59 sourcetype=iis | eval date=strftime(_time, "%Y-%m-%d") | stats count by date
date count
2016-10-01 705
2016-10-02 707
Why does the first query return 3 rows, especially when 10/3/2016 is not a part of the search time range?
↧