- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help on Errror stats - The argument '>' is invalid
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am scheduling this search(Daily Indexed Volume):
index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | chart sum(MB) by series | rename series AS "Host(s)" | sort sum(MB) | addcoltotals col=t | fillnull value="[ Total Indexed Volume ] last 24 hours" Host(s)
but it seems to be generating the following errors:
in splunkd.log: 06-25-2010 10:04:27.285 ERROR stats - The argument '>' is invalid.
in scheduler.log: 06-25-2010 10:04:27.285 ERROR SavedSplunker - savedsearch_id="myuserid;search;Daily Indexed Volume", Error in 'stats': The argument '>' is invalid.
Any idea??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is rather weird, since you don't seem to be using the stats search command at all (although "stats" could be "chart" in your case, I'm not sure how that works exactly.)
The approach that Simeon suggests is a good one.
I would suggest that you make the following change to your search (it should be much more efficient):
index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | ...
Would be much faster if written as:
index=_internal source=*metrics.log splunk_server="*" group="per_host_thruput" | eval MB=kb/1024 | ...
The reason for this is there are tons of metrics events, and only some of them contain the term per_host_thruput, so by moving that to your first search you let splunk search for that within the index, instead of searching for it on a secondary pass over the events. (Of course, that wouldn't cause the error you are seeing, but it should make your search fastser and more efficient)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is rather weird, since you don't seem to be using the stats search command at all (although "stats" could be "chart" in your case, I'm not sure how that works exactly.)
The approach that Simeon suggests is a good one.
I would suggest that you make the following change to your search (it should be much more efficient):
index=_internal source=*metrics.log splunk_server="*" | eval MB=kb/1024 | search group="per_host_thruput" | ...
Would be much faster if written as:
index=_internal source=*metrics.log splunk_server="*" group="per_host_thruput" | eval MB=kb/1024 | ...
The reason for this is there are tons of metrics events, and only some of them contain the term per_host_thruput, so by moving that to your first search you let splunk search for that within the index, instead of searching for it on a secondary pass over the events. (Of course, that wouldn't cause the error you are seeing, but it should make your search fastser and more efficient)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would begin by removing each additional pipe function to see what is causing the error. Since the error is in "stats", I would begin by removing the statistical functions.
Infographic provides the TL;DR for the 2023 Splunk Career Impact Report
Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...
Enterprise Security Content Update (ESCU) | New Releases
