All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

license usage alerts

nicco
Explorer
‎10-07-2011 02:52 PM

This is the reference that I'm looking at:
http://www.splunk.com/wiki/Community:TroubleshootingIndexedDataVolume

Specifically this search:

index=_internal source=*license_usage* pool="default" | eval GB=b/1024/1024/1024 | stats sum(GB) by pool | where sum(GB) > 0.3

And I get this error:

Error in 'where' command: The 'sum' function is unsupported or undefined.

Relating to this part of the search:

where sum(GB) > 0.3

So, I look up the search manual and there is in fact no sum function to the where command. I've tried a bunch of variations and I'm not getting the expected result.

Can anyone shed any light on where I'm going wrong (and fix the doco)

Thanks.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-07-2011 05:09 PM

The correct syntax is either:

index=_internal source=license_usage pool="default" | eval GB=b/1024/1024/1024 | stats sum(GB) by pool | where 'sum(GB)' > 0.3

i.e., single quote sum(GB). It is not a function. It is a variable name that was created by stats. You could also use:

index=_internal source=license_usage pool="default" | eval GB=b/1024/1024/1024 | stats sum(GB) as sumGB by pool | where sumGB > 0.3

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...