Splunk Search

How can i run STATS Sum command with group by another field(not date)?



I have a sample data as following, for multiple date, separate space stats.


I am writing the following to find sum of space per object, i am getting incorrect values.

index=avs_os host=dc1prftseix01 sourcetype=stat
| spath output=archobj "{}.object"| spath output=date "{}.date"| spath output=space "{}.write"                                | table archobj,date,space | addtotals
| stats sum(space) as Space by archobj

If i am trying to find the total sum and not using the group by ( | stats sum(space) as Space), i am able to get correct values. Please help

Labels (1)
Tags (3)
0 Karma


The addtotals command may be throwing off the results. The combined with stats sum means you're adding values twice.

If this reply helps you, an upvote would be appreciated.