Splunk Search

How can i run STATS Sum command with group by another field(not date)?

Engager

Hi,

I have a sample data as following, for multiple date, separate space stats.

{"object":"DOC1","date":"2020-06-13","write":7321.445,"delete":6717.463,"objCntW":5148955}

I am writing the following to find sum of space per object, i am getting incorrect values.

index=avs_os host=dc1prftseix01 sourcetype=stat
| spath output=archobj "{}.object"| spath output=date "{}.date"| spath output=space "{}.write"                                | table archobj,date,space | addtotals
| stats sum(space) as Space by archobj

If i am trying to find the total sum and not using the group by ( | stats sum(space) as Space), i am able to get correct values. Please help

Labels (1)
Tags (3)
0 Karma

SplunkTrust
SplunkTrust

The addtotals command may be throwing off the results. The combined with stats sum means you're adding values twice.

---
If this reply helps you, an upvote would be appreciated.