Splunk App for Unix: Why am I getting "Error in 'w...

luanvn · ‎02-02-2015

I already set up splunk app for unix and linux on my splunk system. Almost of checks are working. But just for check Disk_Used_Exceeds_Perc_by_Host isn't working.

On my Alerts I opened Open Search at check Disk_Used_Exceeds_Perc_by_Host. I received one message:

"Error in 'where' command: The expression is malformed. An unexpected character is reached at '%Used > 90 '
The search job has failed due to an error. You may be able view the job in the Job Inspector."

I suspected the error was caused from the file /opt/splunk/etc/apps/SA-nix/default/macro.conf

That is information that I captured:

[Disk_Used_Pct_by_Host(1)]
args = host
definition = `os_index` `df_sourcetype` host=$host$ | strcat host '@' Filesystem Host_FileSystem | timechart avg(UsePct) by Host_FileSystem | rename avg(UsePct) as %Used

[Disk_Used_Exceeds_Percent_by_Host(1)]
args = threshold
definition = `os_index` `df_sourcetype` host=* | stats first(UsePct) as %Used by Filesystem, host | where %Used > $threshold$ | eval title="Disk_Used_Exceeds_Percent_by_Host" | `unix_alert_decoration` | fields Filesystem, Type, Size, Used, Avail, %Used, MountedOn, host, hosts, host_count, severity, sid, time_fired

I appreciated any help. Thanks.

ramdaspr · ‎02-02-2015

Try with "%Used" instead of %Used at all the places you are using it i.e. with the surrounding double quotes to force it as a variable name.

Edit: Actually It might be better to simply use a different variable name instead without the special character in this case.

Splunk App for Unix: Why am I getting "Error in 'where' command:...unexpected character is reached at '%Used > 90'?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases