All Apps and Add-ons

How to resolve this error, "Error in 'TsidxStats': WHERE clause is not an exact query" ?

damode
Motivator

In the Splunk Security Essentials app, I get this error , "Error in 'TsidxStats': WHERE clause is not an exact query" when I run the below query,
| tstats count where index=* sourcetype=cisco:esa* OR sourcetype=MSExchange*:MessageTracking OR tag==email earliest=-4h

Please help

1 Solution

harsmarvania57
Ultra Champion

Hi @damode,

Based on the query index= it looks like you didn't provided any indexname so please provide index name and supply where clause in brackets.

So query should be like this

| tstats count where (index=<INDEX NAME> sourcetype=cisco:esa OR sourcetype=MSExchange*:MessageTracking OR tag=email) earliest=-4h

View solution in original post

edoardo_vicendo
Contributor

Same issue but I believe it is a problem related to user Role Capabilities / Indexes / Restrictions

Tested among 2 different user Roles and one can run tstat query, the other cannot

In my case they both have access to the indexes but one Role have some Search filter restriction

 

0 Karma

harsmarvania57
Ultra Champion

Hi @damode,

Based on the query index= it looks like you didn't provided any indexname so please provide index name and supply where clause in brackets.

So query should be like this

| tstats count where (index=<INDEX NAME> sourcetype=cisco:esa OR sourcetype=MSExchange*:MessageTracking OR tag=email) earliest=-4h

David
Splunk Employee
Splunk Employee

This is a known bug, and an updated version should be posted in the next couple of weeks. Sorry, I should have posted this a week ago!

0 Karma

damode
Motivator

Hi David,

Spike in Password Reset Emails (Assistant: Detect Spikes) use case returns results for the detect spikes search but doesnt populates data in "Field with data points" and "Field for our subject". Can you please suggest how can I make it work ?

0 Karma

damode
Motivator

Also, you are not able to see asterisk * after index= is because it gets somehow removed after posting the comment. But just know the query uses index=asterisk

0 Karma

harsmarvania57
Ultra Champion

Always put query in Code Sample (101010) so asterisk & other special character will not be removed.

0 Karma

damode
Motivator

Thanks for that, Harsh.

0 Karma

damode
Motivator

Hi Harsh,

Thanks for that. After correcting that part the query got results. But now my question is, how can I make this correction within the use case dashboard ? Because there is no option to edit the dashboard.

This app uses this line "tag==email" within the query atleast in 2-3 use cases to perform data check. Because of this I am getting that error. After removing the extra = sign, the query runs well.

Example below,
| tstats count where index=* sourcetype=cisco:esa* OR sourcetype=MSExchange*:MessageTracking OR tag==email earliest=-4h

index=* sourcetype=cisco:esa* OR sourcetype=MSExchange*:MessageTracking OR tag==email | head 100 | eval length_combined = len(src_ip) * len(src_user) | stats sum(length_combined) as count

0 Karma

harsmarvania57
Ultra Champion

Goto Setting -> User Interface -> Views and then modify respective dashboard.

0 Karma

damode
Motivator

Hi Harsh,

None of the views on the Views page match the page title, I am looking for.
For e.g: Emails with Lookalike Domains (Assistant: Simple Search) page doesnt exist on the views page.

0 Karma

harsmarvania57
Ultra Champion

EDIT: Yes, this query comes from json page so you will not able to see it from Splunk Web.

0 Karma

harsmarvania57
Ultra Champion

While looking at Splunk Security Essentials app, those values are coming from $SPLUNK_HOME/etc/apps/Splunk_Security_Essentials/appserver/static/components/data/sampleSearches/showcase_simple_search.json and those queries are used in Use Cases so I'll suggest you can use those in your search with required modification.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...