Solved: Re: How to resolve this error, "Error in 'TsidxSta...

damode · ‎11-29-2017

In the Splunk Security Essentials app, I get this error , "Error in 'TsidxStats': WHERE clause is not an exact query" when I run the below query,
| tstats count where index=* sourcetype=cisco:esa* OR sourcetype=MSExchange*:MessageTracking OR tag==email earliest=-4h

Please help

harsmarvania57 · ‎11-29-2017

Hi @damode,

Based on the query index= it looks like you didn't provided any indexname so please provide index name and supply where clause in brackets.

So query should be like this

| tstats count where (index=<INDEX NAME> sourcetype=cisco:esa OR sourcetype=MSExchange*:MessageTracking OR tag=email) earliest=-4h

View solution in original post

edoardo_vicendo · ‎07-24-2023

Same issue but I believe it is a problem related to user Role Capabilities / Indexes / Restrictions

Tested among 2 different user Roles and one can run tstat query, the other cannot

In my case they both have access to the indexes but one Role have some Search filter restriction

harsmarvania57 · ‎11-29-2017

Hi @damode,

Based on the query index= it looks like you didn't provided any indexname so please provide index name and supply where clause in brackets.

So query should be like this

| tstats count where (index=<INDEX NAME> sourcetype=cisco:esa OR sourcetype=MSExchange*:MessageTracking OR tag=email) earliest=-4h

David · ‎11-29-2017

This is a known bug, and an updated version should be posted in the next couple of weeks. Sorry, I should have posted this a week ago!

damode · ‎11-29-2017

Hi David,

Spike in Password Reset Emails (Assistant: Detect Spikes) use case returns results for the detect spikes search but doesnt populates data in "Field with data points" and "Field for our subject". Can you please suggest how can I make it work ?

damode · ‎11-29-2017

Also, you are not able to see asterisk * after index= is because it gets somehow removed after posting the comment. But just know the query uses index=asterisk

harsmarvania57 · ‎11-29-2017

Always put query in Code Sample (101010) so asterisk & other special character will not be removed.

damode · ‎11-29-2017

Thanks for that, Harsh.

damode · ‎11-29-2017

Hi Harsh,

Thanks for that. After correcting that part the query got results. But now my question is, how can I make this correction within the use case dashboard ? Because there is no option to edit the dashboard.

This app uses this line "tag==email" within the query atleast in 2-3 use cases to perform data check. Because of this I am getting that error. After removing the extra = sign, the query runs well.

Example below,
| tstats count where index=* sourcetype=cisco:esa* OR sourcetype=MSExchange*:MessageTracking OR tag==email earliest=-4h

index=* sourcetype=cisco:esa* OR sourcetype=MSExchange*:MessageTracking OR tag==email | head 100 | eval length_combined = len(src_ip) * len(src_user) | stats sum(length_combined) as count

harsmarvania57 · ‎11-29-2017

Goto Setting -> User Interface -> Views and then modify respective dashboard.

damode · ‎11-29-2017

Hi Harsh,

None of the views on the Views page match the page title, I am looking for.
For e.g: Emails with Lookalike Domains (Assistant: Simple Search) page doesnt exist on the views page.

harsmarvania57 · ‎11-30-2017

EDIT: Yes, this query comes from json page so you will not able to see it from Splunk Web.

harsmarvania57 · ‎11-29-2017

While looking at Splunk Security Essentials app, those values are coming from $SPLUNK_HOME/etc/apps/Splunk_Security_Essentials/appserver/static/components/data/sampleSearches/showcase_simple_search.json and those queries are used in Use Cases so I'll suggest you can use those in your search with required modification.

How to resolve this error, "Error in 'TsidxStats': WHERE clause is not an exact query" ?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?