Thanks for the query logic, much faster than exporting one month at a time.

As to your two candidate queries, the second one is the exact query I ran for Sept only. What was your hypothesis in comparing the two?

Follow up after a long time... that particular combination was just trying to eliminate the possibility that some records on the last day of the month were being dropped due to their event time.

With regard to the overall issue, it seems like the subsearch limits could cause numbers for each individual URL to go either direction, since I don't believe there is a guarantee which events from which indexers will arrive first. Nonetheless, I don't see any way that the described symptoms could be generated based on the code and comments above. Sure wish he had posted what he found.

I'm expecting, based on the fact that the op disappeared shortly after we posted the chart... over _time code, that that code enabled him to effectively find and stomp the bug, since it automatically provides summary row and column for the individual data.

I am comparing both the results I saved from last month AND the results I get now for a search that ends on Jan 31. For some urls, the Sep-Jan number is higher than Sep-Feb when I run both reports now. AND the Sep-Jan number when I ran it last month was higher than the Sep-Jan number when I run it now. See comments I will post below, it gets more bizarre...

Okay, I'd limit the query to a single one of the URLs that is different and see if the behavior can be replicated at a more granular level. Most of the ways that splunk inherently limits search results will disappear if the volume of results get under the throttle. Thus, if the problem goes away when you limit the query to a small selection, then it tells you where to look for the glitch.

If I'm understanding what you're suggesting, then I would expect to see lower totals for larger aggregate time ranges. But in this case, I'm seeing the opposite: lower numbers when I manually total up smaller time ranges (e.g. 1 month increments) than when I use larger time ranges (e.g. 6 months). And just now I tried one URL and got a smaller number for Sep-Jan than when I pull that same time range for all URLs, which would seem to be a much bigger chunk for Splunk to process.

So could the glitch or limit you're suggesting be that some events are being counted more than once?

I am not running the search in a panel, I am entering it as a raw search and I save those searches as reports. To my knowledge I am not using loadjob.

Your search parameters eval month=strftime(_time,%m)| eval month=case(month==2,2,true(),0)| stats count by month uri_path and eval month=strftime(_time,%m)| stats count by month uri_path both threw errors for me.

So I ran the report for each month, limiting the date range to only that month, e.g. Sep 1 - Sep 30, Oct 1 - Oct 31, etc. Then I manually totaled each month of data for 5 selected urls. For each url my manually totaled number for Sep-Feb exactly matches what I get when I run the report with the full Sep-Feb date range.

However, my manually totaled numbers for Sep-Jan match full Sep-Jan date range reports exactly for only two of the five urls. The manual totals are lower for the other three. And for Sep-Dec, the data for only one of the five urls match.

You are correct: I didn't need the AND. I did not yet try taking out the uri_path="/sectionpath*" yet because there would be millions of events and it would take way too long to run.