All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Palo Alto App Traffic Dashboard Error

iguarino
New Member
‎12-10-2013 06:27 AM

If I try to query by IP in the traffic dashboard, I get the following error:

Error in 'TsidxStats': WHERE clause is not an exact query

Please let me know how I can resolve this error. I'm running splunk 6 on windows with the latest version Palo Alto app.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jtrivilino
Engager
‎01-16-2014 07:47 AM

Here is the solution to the issue:

Under the Palo Alto App -> Traffic Dashboard -> Edit -> Edit Source (XML)

You'll see a block of XML code towards the top defining the inputs. The issue is that there are no prefix and suffix identifiers for the first several fields (src_ip, dst_ip, dst_port, and src_user). So, we need to defined those lines of code in order for the search bars to work properly. You'll end up with a chunk of code that looks like this (replacing the [ and ] brackets with appropriate XML < and > brackets):

[input type="text" token="src_ip"]

  [label]Source IP[/label]
  [default][/default]
  [prefix]src_ip="[/prefix]
  [suffix]"[/suffix]

[/input]

[input type="text" token="dst_ip"]

  [label]Destination IP[/label]
  [default][/default]
  [prefix]dst_ip="[/prefix]
  [suffix]"[/suffix]

[/input]

[input type="text" token="dst_port"]

  [label]Destination Port[/label]
  [default][/default]
  [prefix]dst_port="[/prefix]
  [suffix]"[/suffix]

[/input]

[input type="text" token="src_user"]

  [label]Source User[/label]
  [default][/default]
  [prefix]src_user="[/prefix]
  [suffix]"[/suffix]

[/input]

Hope this helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

jtrivilino
Engager
‎01-16-2014 07:47 AM

Here is the solution to the issue:

Under the Palo Alto App -> Traffic Dashboard -> Edit -> Edit Source (XML)

You'll see a block of XML code towards the top defining the inputs. The issue is that there are no prefix and suffix identifiers for the first several fields (src_ip, dst_ip, dst_port, and src_user). So, we need to defined those lines of code in order for the search bars to work properly. You'll end up with a chunk of code that looks like this (replacing the [ and ] brackets with appropriate XML < and > brackets):

[input type="text" token="src_ip"]

  [label]Source IP[/label]
  [default][/default]
  [prefix]src_ip="[/prefix]
  [suffix]"[/suffix]

[/input]

[input type="text" token="dst_ip"]

  [label]Destination IP[/label]
  [default][/default]
  [prefix]dst_ip="[/prefix]
  [suffix]"[/suffix]

[/input]

[input type="text" token="dst_port"]

  [label]Destination Port[/label]
  [default][/default]
  [prefix]dst_port="[/prefix]
  [suffix]"[/suffix]

[/input]

[input type="text" token="src_user"]

  [label]Source User[/label]
  [default][/default]
  [prefix]src_user="[/prefix]
  [suffix]"[/suffix]

[/input]

Hope this helps!

Reply
Solved! Jump to solution

cckevin
Engager
‎01-17-2014 02:01 AM

Thanks. It solve the problem.

0 Karma
Reply
Solved! Jump to solution

cckevin
Engager
‎01-08-2014 12:00 AM

I have the same error with Splunk 6 also. Any solution??

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...