Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help on Errror stats - The argument '>' is invalid

apro
Path Finder
‎06-28-2010 03:35 AM

I am scheduling this search(Daily Indexed Volume):

index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | rename series AS "Host(s)" | sort sum(MB) | addcoltotals col=t | fillnull value="[ Total Indexed Volume ] last 24 hours" Host(s)

but it seems to be generating the following errors:

in splunkd.log: 06-25-2010 10:04:27.285 ERROR stats - The argument '>' is invalid.

in scheduler.log: 06-25-2010 10:04:27.285 ERROR SavedSplunker - savedsearch_id="myuserid;search;Daily Indexed Volume", Error in 'stats': The argument '>' is invalid.

Any idea??

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎06-28-2010 03:40 PM

That is rather weird, since you don't seem to be using the stats search command at all (although "stats" could be "chart" in your case, I'm not sure how that works exactly.)

The approach that Simeon suggests is a good one.

I would suggest that you make the following change to your search (it should be much more efficient):

index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | ...

Would be much faster if written as:

index=_internal source=*metrics.log splunk_server="*" group="per_host_thruput" | eval MB=kb/1024 | ...

The reason for this is there are tons of metrics events, and only some of them contain the term per_host_thruput, so by moving that to your first search you let splunk search for that within the index, instead of searching for it on a secondary pass over the events. (Of course, that wouldn't cause the error you are seeing, but it should make your search fastser and more efficient)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎06-28-2010 03:40 PM

That is rather weird, since you don't seem to be using the stats search command at all (although "stats" could be "chart" in your case, I'm not sure how that works exactly.)

The approach that Simeon suggests is a good one.

I would suggest that you make the following change to your search (it should be much more efficient):

index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | ...

Would be much faster if written as:

index=_internal source=*metrics.log splunk_server="*" group="per_host_thruput" | eval MB=kb/1024 | ...

The reason for this is there are tons of metrics events, and only some of them contain the term per_host_thruput, so by moving that to your first search you let splunk search for that within the index, instead of searching for it on a secondary pass over the events. (Of course, that wouldn't cause the error you are seeing, but it should make your search fastser and more efficient)

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎06-28-2010 03:33 PM

I would begin by removing each additional pipe function to see what is causing the error. Since the error is in "stats", I would begin by removing the statistical functions.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What did the zero say to the eight?

June 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
Top