topic Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"? in Dashboards & Visualizations

How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

kokanne — Fri, 16 Feb 2018 09:40:00 GMT

I'm trying to fix my query for my malware dashboard, but it doesn't seem to work in any way possible, maybe I'm just not experienced enough to fix it. The query is the following:

| `tstats` count from datamodel=Malware.Malware_Attacks where * $action$ $bunit$ $category$ by _time,Malware_Attacks.action span=10m | timechart minspan=10m useother=true count by Malware_Attacks.action | `drop_dm_object_name("Malware_Attacks")`

The error:
Error in 'TsidxStats': WHERE clause is not an exact query

If anyone could tell me what I'm doing wrong, that would be great. Sorry for posting such a stupid question.

Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

493669 — Fri, 16 Feb 2018 13:36:13 GMT

Firstly not required to use *(wildcard) in where clause..and what token values are setting?

Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

kokanne — Fri, 16 Feb 2018 13:40:25 GMT

Hi, the wildcard I should replace with % ?
The tokens are shown in query, action bunit and category

Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

493669 — Fri, 16 Feb 2018 13:48:58 GMT

No, you can not replace it with %..Do you really need wildcard here as where clause is used to to filter search results.
$action$ $bunit$ $category$ these tokens value is getting populating from different input/panel ..so In these token what values are setting .

Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

kokanne — Fri, 16 Feb 2018 14:19:05 GMT

Okay,I remove the wildcard completely

To be honest, this query was not built by me, it's part of the enterprise security dashboards, but stopped working 2 weeks ago. I would assume that its like this:

action=$action$
punct=$bunit$
category=$category$

Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

493669 — Fri, 16 Feb 2018 14:32:03 GMT

wait ..retain * and try in query datamodel=Malware_Attacksor datamodel=Malware
If you try only | tstats count from datamodel=Malware.Malware_Attacks does it returning events?

Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

kokanne — Fri, 16 Feb 2018 14:34:13 GMT

| `tstats` count from datamodel=Malware_Attacks where $action$ $bunit$ $category$ by _time,Malware_Attacks.action span=10m 
| timechart minspan=10m useother=true count by Malware_Attacks.action 
| `drop_dm_object_name("Malware_Attacks")`

Error in 'TsidxStats': Could not find datamodel: Malware_Attacks

| `tstats` count from datamodel=Malware where $action$ $bunit$ $category$ by _time,Malware_Attacks.action span=10m 
| timechart minspan=10m useother=true count by Malware_Attacks.action 
| `drop_dm_object_name("Malware_Attacks")`

Error in 'TsidxStats': WHERE clause is not an exact query

Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

493669 — Fri, 16 Feb 2018 14:38:35 GMT

try running query in parts and check when you are receiving error?

 | tstats count from datamodel=Malware.Malware_Attacks

and then try to run

| tstats count from datamodel=Malware.Malware_Attacks where * $action$ $bunit$ $category$

Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

kokanne — Fri, 16 Feb 2018 14:40:26 GMT

| `tstats` count from datamodel=Malware.Malware_Attacks by _time,Malware_Attacks.action span=10m 
| timechart minspan=10m useother=true count by Malware_Attacks.action 
| `drop_dm_object_name("Malware_Attacks")`

Runs fine, returns 31 Statistics
Results are not accurate, returns null values for when there should be events

 | tstats count from datamodel=Malware.Malware_Attacks where * $action$ $bunit$ $category$ by _time,Malware_Attacks.action span=10m 
| timechart minspan=10m useother=true count by Malware_Attacks.action 
| `drop_dm_object_name("Malware_Attacks")`

Does not run: Error in 'TsidxStats': WHERE clause is not an exact query

The problem, I think, is with the tokens, but I don't know how to fix

Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

493669 — Fri, 16 Feb 2018 14:42:41 GMT

and if try this then?

 | tstats count from datamodel=Malware.Malware_Attacks where *  by _time,Malware_Attacks.action span=10m 
 | timechart minspan=10m useother=true count by Malware_Attacks.action 
 | `drop_dm_object_name("Malware_Attacks")`

Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

493669 — Fri, 16 Feb 2018 14:44:42 GMT

also I am assuming sign ` around tstats is a typo

Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

kokanne — Fri, 16 Feb 2018 14:45:11 GMT

Works, returns more events, as well on the day today when there should be, but very long it is on null from timeframe 2 weeks

Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

kokanne — Fri, 16 Feb 2018 14:47:29 GMT

I don't make the query, so I have no idea, it is from enterprise security dashboard

Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

493669 — Fri, 16 Feb 2018 14:47:55 GMT

so when you are adding tokens it gives an error right?

Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

kokanne — Fri, 16 Feb 2018 14:48:33 GMT

Yes that is correct, the tokens make error

Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

493669 — Fri, 16 Feb 2018 14:49:12 GMT

so is their any sign around |tstatscommand?

Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

493669 — Fri, 16 Feb 2018 14:51:24 GMT

so add these token in <title>$action$ $bunit$ $category$</title> your xml and check what values are being set there?

Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

kokanne — Fri, 16 Feb 2018 14:53:16 GMT

I put it in the xml , do not see displayed, what do ?

Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

493669 — Fri, 16 Feb 2018 14:55:04 GMT

have you put below <table> ?

Re: How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

kokanne — Fri, 16 Feb 2018 14:57:37 GMT

sorry, my bad. this is what i see: