Splunk Search

How can i run STATS Sum command with group by another field(not date)?



I have a sample data as following, for multiple date, separate space stats.


I am writing the following to find sum of space per object, i am getting incorrect values.

index=avs_os host=dc1prftseix01 sourcetype=stat
| spath output=archobj "{}.object"| spath output=date "{}.date"| spath output=space "{}.write"                                | table archobj,date,space | addtotals
| stats sum(space) as Space by archobj

If i am trying to find the total sum and not using the group by ( | stats sum(space) as Space), i am able to get correct values. Please help

Labels (1)
Tags (3)
0 Karma


The addtotals command may be throwing off the results. The combined with stats sum means you're adding values twice.

If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...