https://community.splunk.com/t5/Splunk-Dev/Sum-function-on-output-of-summary-index/m-p/532628#M9581 <P><SPAN>index=*1 sourcetype=s source="p" "File Catalog" "Completed"</SPAN><BR /><FONT color="#FF0000"><STRONG>| dedup FILE_ID</STRONG></FONT><BR /><SPAN>| eval Date=strftime(_time, "%b/%d/%Y ")</SPAN><BR /><SPAN><STRONG><FONT color="#FF0000">| stats count(FILE_ID)</FONT> </STRONG>as "File_Count_By_Day" by Date,XMIT_AUTH_USER_NM,XMIT_BASE_FILE_ID,XMIT_BASE_FILE_NM</SPAN></P><P><SPAN>These counts will always be 1!</SPAN></P><P><SPAN>index=*1 search_name="Daily File Transfer Counts" | dedup <STRONG><FONT color="#FF0000">BASE_FILE_ID</FONT> </STRONG>|table Date USER_NM BASE_FILE_ID FILE_NM File_Count_By_Day</SPAN><BR /><STRONG><FONT color="#FF0000">| bin _time as week span=7d</FONT></STRONG><BR /><SPAN>| stats sum(File_Count_By_Day) as oneweek by XMIT_AUTH_USER_NM,XMIT_BASE_FILE_ID,XMIT_BASE_FILE_NM</SPAN><BR /><SPAN>| eval week=strftime(_time,"%Y - %U")</SPAN></P><P><SPAN>BASE_FILE_ID doesn't appear to be a field output by your summary query so you won't get any results? _time or week doesn't appear in your by list for your stats so doesn't affect the grouping</SPAN></P> Thu, 10 Dec 2020 12:29:45 GMT ITWhisperer 2020-12-10T12:29:45Z https://community.splunk.com/t5/Splunk-Dev/Sum-function-on-output-of-summary-index/m-p/532585#M9580 <P>I want to sum the output that is stored in summary index and display the output in dashboard which shows sum of all counts for one week.</P><P>Below is the code i am using but the output comes as the previous day output stored in summary index:</P><P>index=*1 search_name="Daily File Transfer Counts" | dedup BASE_FILE_ID |table Date USER_NM BASE_FILE_ID FILE_NM File_Count_By_Day<BR />| bin _time as week span=7d<BR />| stats sum(File_Count_By_Day) as oneweek by XMIT_AUTH_USER_NM,XMIT_BASE_FILE_ID,XMIT_BASE_FILE_NM<BR />| eval week=strftime(_time,"%Y - %U")</P><P>My code in&nbsp;Daily File Transfer Counts is as below:</P><P>index=*1 sourcetype=s source="p" "File Catalog" "Completed"<BR />| dedup FILE_ID<BR />| eval Date=strftime(_time, "%b/%d/%Y ")<BR />| stats count(FILE_ID) as "File_Count_By_Day" by Date,XMIT_AUTH_USER_NM,XMIT_BASE_FILE_ID,XMIT_BASE_FILE_NM</P><P>&nbsp;</P><P>I am looking to count all the file that was transfers within a week for particular file(sum of&nbsp;File_Count_By_Day within a week)</P> Thu, 10 Dec 2020 05:40:23 GMT https://community.splunk.com/t5/Splunk-Dev/Sum-function-on-output-of-summary-index/m-p/532585#M9580 supriyagaw08 2020-12-10T05:40:23Z https://community.splunk.com/t5/Splunk-Dev/Sum-function-on-output-of-summary-index/m-p/532628#M9581 <P><SPAN>index=*1 sourcetype=s source="p" "File Catalog" "Completed"</SPAN><BR /><FONT color="#FF0000"><STRONG>| dedup FILE_ID</STRONG></FONT><BR /><SPAN>| eval Date=strftime(_time, "%b/%d/%Y ")</SPAN><BR /><SPAN><STRONG><FONT color="#FF0000">| stats count(FILE_ID)</FONT> </STRONG>as "File_Count_By_Day" by Date,XMIT_AUTH_USER_NM,XMIT_BASE_FILE_ID,XMIT_BASE_FILE_NM</SPAN></P><P><SPAN>These counts will always be 1!</SPAN></P><P><SPAN>index=*1 search_name="Daily File Transfer Counts" | dedup <STRONG><FONT color="#FF0000">BASE_FILE_ID</FONT> </STRONG>|table Date USER_NM BASE_FILE_ID FILE_NM File_Count_By_Day</SPAN><BR /><STRONG><FONT color="#FF0000">| bin _time as week span=7d</FONT></STRONG><BR /><SPAN>| stats sum(File_Count_By_Day) as oneweek by XMIT_AUTH_USER_NM,XMIT_BASE_FILE_ID,XMIT_BASE_FILE_NM</SPAN><BR /><SPAN>| eval week=strftime(_time,"%Y - %U")</SPAN></P><P><SPAN>BASE_FILE_ID doesn't appear to be a field output by your summary query so you won't get any results? _time or week doesn't appear in your by list for your stats so doesn't affect the grouping</SPAN></P> Thu, 10 Dec 2020 12:29:45 GMT https://community.splunk.com/t5/Splunk-Dev/Sum-function-on-output-of-summary-index/m-p/532628#M9581 ITWhisperer 2020-12-10T12:29:45Z https://community.splunk.com/t5/Splunk-Dev/Sum-function-on-output-of-summary-index/m-p/532771#M9582 <P>Thanks for your help&nbsp;&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp; i got why the count was always coming as 1.</P> Fri, 11 Dec 2020 10:53:17 GMT https://community.splunk.com/t5/Splunk-Dev/Sum-function-on-output-of-summary-index/m-p/532771#M9582 supriyagaw08 2020-12-11T10:53:17Z