All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk App for Unix: Why am I getting "Error in 'where' command:...unexpected character is reached at '%Used > 90'?

luanvn
Explorer
‎02-02-2015 07:28 PM

I already set up splunk app for unix and linux on my splunk system. Almost of checks are working. But just for check Disk_Used_Exceeds_Perc_by_Host isn't working.

On my Alerts I opened Open Search at check Disk_Used_Exceeds_Perc_by_Host. I received one message: 

"Error in 'where' command: The expression is malformed. An unexpected character is reached at '%Used > 90 '
The search job has failed due to an error. You may be able view the job in the Job Inspector."

I suspected the error was caused from the file /opt/splunk/etc/apps/SA-nix/default/macro.conf

That is information that I captured:

[Disk_Used_Pct_by_Host(1)]
args = host
definition = `os_index` `df_sourcetype` host=$host$ | strcat host '@' Filesystem Host_FileSystem | timechart avg(UsePct) by Host_FileSystem | rename avg(UsePct) as %Used

[Disk_Used_Exceeds_Percent_by_Host(1)]
args = threshold
definition = `os_index` `df_sourcetype` host=* | stats first(UsePct) as %Used by Filesystem, host | where %Used > $threshold$ | eval title="Disk_Used_Exceeds_Percent_by_Host" | `unix_alert_decoration` | fields Filesystem, Type, Size, Used, Avail, %Used, MountedOn, host, hosts, host_count, severity, sid, time_fired

I appreciated any help. Thanks.

0 Karma
Reply

ramdaspr
Contributor
‎02-02-2015 07:49 PM

Try with "%Used" instead of %Used at all the places you are using it i.e. with the surrounding double quotes to force it as a variable name.

Edit: Actually It might be better to simply use a different variable name instead without the special character in this case.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...