Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help on Errror stats - The argument '>' is invalid

apro
Path Finder
‎06-28-2010 03:35 AM

I am scheduling this search(Daily Indexed Volume):

index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | rename series AS "Host(s)" | sort sum(MB) | addcoltotals col=t | fillnull value="[ Total Indexed Volume ] last 24 hours" Host(s)

but it seems to be generating the following errors:

in splunkd.log: 06-25-2010 10:04:27.285 ERROR stats - The argument '>' is invalid.

in scheduler.log: 06-25-2010 10:04:27.285 ERROR SavedSplunker - savedsearch_id="myuserid;search;Daily Indexed Volume", Error in 'stats': The argument '>' is invalid.

Any idea??

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎06-28-2010 03:40 PM

That is rather weird, since you don't seem to be using the stats search command at all (although "stats" could be "chart" in your case, I'm not sure how that works exactly.)

The approach that Simeon suggests is a good one.

I would suggest that you make the following change to your search (it should be much more efficient):

index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | ...

Would be much faster if written as:

index=_internal source=*metrics.log splunk_server="*" group="per_host_thruput" | eval MB=kb/1024 | ...

The reason for this is there are tons of metrics events, and only some of them contain the term per_host_thruput, so by moving that to your first search you let splunk search for that within the index, instead of searching for it on a secondary pass over the events. (Of course, that wouldn't cause the error you are seeing, but it should make your search fastser and more efficient)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎06-28-2010 03:40 PM

That is rather weird, since you don't seem to be using the stats search command at all (although "stats" could be "chart" in your case, I'm not sure how that works exactly.)

The approach that Simeon suggests is a good one.

I would suggest that you make the following change to your search (it should be much more efficient):

index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | ...

Would be much faster if written as:

index=_internal source=*metrics.log splunk_server="*" group="per_host_thruput" | eval MB=kb/1024 | ...

The reason for this is there are tons of metrics events, and only some of them contain the term per_host_thruput, so by moving that to your first search you let splunk search for that within the index, instead of searching for it on a secondary pass over the events. (Of course, that wouldn't cause the error you are seeing, but it should make your search fastser and more efficient)

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎06-28-2010 03:33 PM

I would begin by removing each additional pipe function to see what is causing the error. Since the error is in "stats", I would begin by removing the statistical functions.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
Top