Re: license usage alerts

nicco · ‎10-07-2011

This is the reference that I'm looking at:
http://www.splunk.com/wiki/Community:TroubleshootingIndexedDataVolume

Specifically this search:

index=_internal source=*license_usage* pool="default" | eval GB=b/1024/1024/1024 | stats sum(GB) by pool | where sum(GB) > 0.3

And I get this error:

Error in 'where' command: The 'sum' function is unsupported or undefined.

Relating to this part of the search:

where sum(GB) > 0.3

So, I look up the search manual and there is in fact no sum function to the where command. I've tried a bunch of variations and I'm not getting the expected result.

Can anyone shed any light on where I'm going wrong (and fix the doco)

Thanks.

gkanapathy · ‎10-07-2011

The correct syntax is either:

index=_internal source=license_usage pool="default" | eval GB=b/1024/1024/1024 | stats sum(GB) by pool | where 'sum(GB)' > 0.3

i.e., single quote sum(GB). It is not a function. It is a variable name that was created by stats. You could also use:

index=_internal source=license_usage pool="default" | eval GB=b/1024/1024/1024 | stats sum(GB) as sumGB by pool | where sumGB > 0.3

license usage alerts

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

license usage alerts

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...