Hi all,
I'm having a great time with Splunk and using it to analyze some IIS web logs. I've been successful in creating a search that counts the daily unique IPs. But I am wanting to use that same data and show the average number of unique IPs by weekday over different periods of time (3 months, 6 months, all time).
My issue is that I have created a successful search for 3 months, but when I try to run it for anything greater than that, the calculations are incorrect. I presume I am hitting some sort of summarization limit and it is grouping the data in an odd way.
Here is my search string that works at three months or less:
sourcetype=iis
| bin _time span=1d
| dedup c_ip
| timechart count(c_ip) as daily_uniques
| eval weekday = strftime(_time, "%w")
| stats avg(daily_uniques) by weekday
Why would this search work correctly for the last three months but not for 6 or 12 month periods?
... View more