license usage alerts

This is the reference that I'm looking at: http://www.splunk.com/wiki/Community:TroubleshootingIndexedDataVolume

Specifically this search:

index=_internal source=*license_usage* pool="default" | eval GB=b/1024/1024/1024 | stats sum(GB) by pool | where sum(GB) > 0.3

And I get this error:

Error in 'where' command: The 'sum' function is unsupported or undefined.

Relating to this part of the search:

where sum(GB) > 0.3

So, I look up the search manual and there is in fact no sum function to the where command. I've tried a bunch of variations and I'm not getting the expected result.

Can anyone shed any light on where I'm going wrong (and fix the doco)

Thanks.

asked 07 Oct '11, 14:52

nicco
21●2
accept rate: 0%

One Answer:

oldest newest most voted

The correct syntax is either:

index=_internal source=license_usage pool="default" | eval GB=b/1024/1024/1024 | stats sum(GB) by pool | where 'sum(GB)' > 0.3

i.e., single quote sum(GB). It is not a function. It is a variable name that was created by stats. You could also use:

index=_internal source=license_usage pool="default" | eval GB=b/1024/1024/1024 | stats sum(GB) as sumGB by pool | where sumGB > 0.3

link

answered 07 Oct '11, 17:09

gkanapathy ♦
26.3k●1●6●22
accept rate: 42%

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

alerts ×172
documentation ×18

Asked: 07 Oct '11, 14:52

Seen: 769 times

Last updated: 07 Oct '11, 17:09

license usage alerts

Follow this question

Splunk Resources

Related questions