All Apps and Add-ons

How to resolve this error, "Error in 'TsidxStats': WHERE clause is not an exact query" ?

damode
Motivator

In the Splunk Security Essentials app, I get this error , "Error in 'TsidxStats': WHERE clause is not an exact query" when I run the below query,
| tstats count where index=* sourcetype=cisco:esa* OR sourcetype=MSExchange*:MessageTracking OR tag==email earliest=-4h

Please help

1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi @damode,

Based on the query index= it looks like you didn't provided any indexname so please provide index name and supply where clause in brackets.

So query should be like this

| tstats count where (index=<INDEX NAME> sourcetype=cisco:esa OR sourcetype=MSExchange*:MessageTracking OR tag=email) earliest=-4h

View solution in original post

harsmarvania57
SplunkTrust
SplunkTrust

Hi @damode,

Based on the query index= it looks like you didn't provided any indexname so please provide index name and supply where clause in brackets.

So query should be like this

| tstats count where (index=<INDEX NAME> sourcetype=cisco:esa OR sourcetype=MSExchange*:MessageTracking OR tag=email) earliest=-4h

David
Splunk Employee
Splunk Employee

This is a known bug, and an updated version should be posted in the next couple of weeks. Sorry, I should have posted this a week ago!

0 Karma

damode
Motivator

Hi David,

Spike in Password Reset Emails (Assistant: Detect Spikes) use case returns results for the detect spikes search but doesnt populates data in "Field with data points" and "Field for our subject". Can you please suggest how can I make it work ?

0 Karma

damode
Motivator

Also, you are not able to see asterisk * after index= is because it gets somehow removed after posting the comment. But just know the query uses index=asterisk

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Always put query in Code Sample (101010) so asterisk & other special character will not be removed.

0 Karma

damode
Motivator

Thanks for that, Harsh.

0 Karma

damode
Motivator

Hi Harsh,

Thanks for that. After correcting that part the query got results. But now my question is, how can I make this correction within the use case dashboard ? Because there is no option to edit the dashboard.

This app uses this line "tag==email" within the query atleast in 2-3 use cases to perform data check. Because of this I am getting that error. After removing the extra = sign, the query runs well.

Example below,
| tstats count where index=* sourcetype=cisco:esa* OR sourcetype=MSExchange*:MessageTracking OR tag==email earliest=-4h

index=* sourcetype=cisco:esa* OR sourcetype=MSExchange*:MessageTracking OR tag==email | head 100 | eval length_combined = len(src_ip) * len(src_user) | stats sum(length_combined) as count

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Goto Setting -> User Interface -> Views and then modify respective dashboard.

0 Karma

damode
Motivator

Hi Harsh,

None of the views on the Views page match the page title, I am looking for.
For e.g: Emails with Lookalike Domains (Assistant: Simple Search) page doesnt exist on the views page.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

EDIT: Yes, this query comes from json page so you will not able to see it from Splunk Web.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

While looking at Splunk Security Essentials app, those values are coming from $SPLUNK_HOME/etc/apps/Splunk_Security_Essentials/appserver/static/components/data/sampleSearches/showcase_simple_search.json and those queries are used in Use Cases so I'll suggest you can use those in your search with required modification.

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...