All Apps and Add-ons

How to resolve this error, "Error in 'TsidxStats': WHERE clause is not an exact query" ?

Builder

In the Splunk Security Essentials app, I get this error , "Error in 'TsidxStats': WHERE clause is not an exact query" when I run the below query,
| tstats count where index=* sourcetype=cisco:esa* OR sourcetype=MSExchange*:MessageTracking OR tag==email earliest=-4h

Please help

1 Solution

SplunkTrust
SplunkTrust

Hi @damode,

Based on the query index= it looks like you didn't provided any indexname so please provide index name and supply where clause in brackets.

So query should be like this

| tstats count where (index=<INDEX NAME> sourcetype=cisco:esa OR sourcetype=MSExchange*:MessageTracking OR tag=email) earliest=-4h

View solution in original post

SplunkTrust
SplunkTrust

Hi @damode,

Based on the query index= it looks like you didn't provided any indexname so please provide index name and supply where clause in brackets.

So query should be like this

| tstats count where (index=<INDEX NAME> sourcetype=cisco:esa OR sourcetype=MSExchange*:MessageTracking OR tag=email) earliest=-4h

View solution in original post

Splunk Employee
Splunk Employee

This is a known bug, and an updated version should be posted in the next couple of weeks. Sorry, I should have posted this a week ago!

0 Karma

Builder

Hi David,

Spike in Password Reset Emails (Assistant: Detect Spikes) use case returns results for the detect spikes search but doesnt populates data in "Field with data points" and "Field for our subject". Can you please suggest how can I make it work ?

0 Karma

Builder

Also, you are not able to see asterisk * after index= is because it gets somehow removed after posting the comment. But just know the query uses index=asterisk

0 Karma

SplunkTrust
SplunkTrust

Always put query in Code Sample (101010) so asterisk & other special character will not be removed.

0 Karma

Builder

Thanks for that, Harsh.

0 Karma

Builder

Hi Harsh,

Thanks for that. After correcting that part the query got results. But now my question is, how can I make this correction within the use case dashboard ? Because there is no option to edit the dashboard.

This app uses this line "tag==email" within the query atleast in 2-3 use cases to perform data check. Because of this I am getting that error. After removing the extra = sign, the query runs well.

Example below,
| tstats count where index=* sourcetype=cisco:esa* OR sourcetype=MSExchange*:MessageTracking OR tag==email earliest=-4h

index=* sourcetype=cisco:esa* OR sourcetype=MSExchange*:MessageTracking OR tag==email | head 100 | eval length_combined = len(src_ip) * len(src_user) | stats sum(length_combined) as count

0 Karma

SplunkTrust
SplunkTrust

Goto Setting -> User Interface -> Views and then modify respective dashboard.

0 Karma

Builder

Hi Harsh,

None of the views on the Views page match the page title, I am looking for.
For e.g: Emails with Lookalike Domains (Assistant: Simple Search) page doesnt exist on the views page.

0 Karma

SplunkTrust
SplunkTrust

EDIT: Yes, this query comes from json page so you will not able to see it from Splunk Web.

0 Karma

SplunkTrust
SplunkTrust

While looking at Splunk Security Essentials app, those values are coming from $SPLUNK_HOME/etc/apps/Splunk_Security_Essentials/appserver/static/components/data/sampleSearches/showcase_simple_search.json and those queries are used in Use Cases so I'll suggest you can use those in your search with required modification.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!