I already set up splunk app for unix and linux on my splunk system. Almost of checks are working. But just for check Disk_Used_Exceeds_Perc_by_Host isn't working.
On my Alerts I opened Open Search at check Disk_Used_Exceeds_Perc_by_Host . I received one message:
"Error in 'where' command: The expression is malformed. An unexpected character is reached at '%Used > 90 '
The search job has failed due to an error. You may be able view the job in the Job Inspector."
I suspected the error was caused from the file /opt/splunk/etc/apps/SA-nix/default/macro.conf
That is information that I captured:
[Disk_Used_Pct_by_Host(1)]
args = host
definition = `os_index` `df_sourcetype` host=$host$ | strcat host '@' Filesystem Host_FileSystem | timechart avg(UsePct) by Host_FileSystem | rename avg(UsePct) as %Used
[Disk_Used_Exceeds_Percent_by_Host(1)]
args = threshold
definition = `os_index` `df_sourcetype` host=* | stats first(UsePct) as %Used by Filesystem, host | where %Used > $threshold$ | eval title="Disk_Used_Exceeds_Percent_by_Host" | `unix_alert_decoration` | fields Filesystem, Type, Size, Used, Avail, %Used, MountedOn, host, hosts, host_count, severity, sid, time_fired
I appreciated any help. Thanks.
... View more