Splunk Search

How can i run STATS Sum command with group by another field(not date)?

bidhanjena13
Engager

Hi,

I have a sample data as following, for multiple date, separate space stats.

{"object":"DOC1","date":"2020-06-13","write":7321.445,"delete":6717.463,"objCntW":5148955}

I am writing the following to find sum of space per object, i am getting incorrect values.

index=avs_os host=dc1prftseix01 sourcetype=stat
| spath output=archobj "{}.object"| spath output=date "{}.date"| spath output=space "{}.write"                                | table archobj,date,space | addtotals
| stats sum(space) as Space by archobj

If i am trying to find the total sum and not using the group by ( | stats sum(space) as Space), i am able to get correct values. Please help

Labels (1)
Tags (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The addtotals command may be throwing off the results. The combined with stats sum means you're adding values twice.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...