All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk App for Unix: Why am I getting "Error in 'where' command:...unexpected character is reached at '%Used > 90'?

luanvn
Explorer
‎02-02-2015 07:28 PM

I already set up splunk app for unix and linux on my splunk system. Almost of checks are working. But just for check Disk_Used_Exceeds_Perc_by_Host isn't working.

On my Alerts I opened Open Search at check Disk_Used_Exceeds_Perc_by_Host. I received one message: 

"Error in 'where' command: The expression is malformed. An unexpected character is reached at '%Used > 90 '
The search job has failed due to an error. You may be able view the job in the Job Inspector."

I suspected the error was caused from the file /opt/splunk/etc/apps/SA-nix/default/macro.conf

That is information that I captured:

[Disk_Used_Pct_by_Host(1)]
args = host
definition = `os_index` `df_sourcetype` host=$host$ | strcat host '@' Filesystem Host_FileSystem | timechart avg(UsePct) by Host_FileSystem | rename avg(UsePct) as %Used

[Disk_Used_Exceeds_Percent_by_Host(1)]
args = threshold
definition = `os_index` `df_sourcetype` host=* | stats first(UsePct) as %Used by Filesystem, host | where %Used > $threshold$ | eval title="Disk_Used_Exceeds_Percent_by_Host" | `unix_alert_decoration` | fields Filesystem, Type, Size, Used, Avail, %Used, MountedOn, host, hosts, host_count, severity, sid, time_fired

I appreciated any help. Thanks.

0 Karma
Reply

ramdaspr
Contributor
‎02-02-2015 07:49 PM

Try with "%Used" instead of %Used at all the places you are using it i.e. with the surrounding double quotes to force it as a variable name.

Edit: Actually It might be better to simply use a different variable name instead without the special character in this case.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...