All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk App for Unix: Why am I getting "Error in 'where' command:...unexpected character is reached at '%Used > 90'?

luanvn
Explorer
‎02-02-2015 07:28 PM

I already set up splunk app for unix and linux on my splunk system. Almost of checks are working. But just for check Disk_Used_Exceeds_Perc_by_Host isn't working.

On my Alerts I opened Open Search at check Disk_Used_Exceeds_Perc_by_Host. I received one message: 

"Error in 'where' command: The expression is malformed. An unexpected character is reached at '%Used > 90 '
The search job has failed due to an error. You may be able view the job in the Job Inspector."

I suspected the error was caused from the file /opt/splunk/etc/apps/SA-nix/default/macro.conf

That is information that I captured:

[Disk_Used_Pct_by_Host(1)]
args = host
definition = `os_index` `df_sourcetype` host=$host$ | strcat host '@' Filesystem Host_FileSystem | timechart avg(UsePct) by Host_FileSystem | rename avg(UsePct) as %Used

[Disk_Used_Exceeds_Percent_by_Host(1)]
args = threshold
definition = `os_index` `df_sourcetype` host=* | stats first(UsePct) as %Used by Filesystem, host | where %Used > $threshold$ | eval title="Disk_Used_Exceeds_Percent_by_Host" | `unix_alert_decoration` | fields Filesystem, Type, Size, Used, Avail, %Used, MountedOn, host, hosts, host_count, severity, sid, time_fired

I appreciated any help. Thanks.

0 Karma
Reply

ramdaspr
Contributor
‎02-02-2015 07:49 PM

Try with "%Used" instead of %Used at all the places you are using it i.e. with the surrounding double quotes to force it as a variable name.

Edit: Actually It might be better to simply use a different variable name instead without the special character in this case.

0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...