All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Palo Alto App Traffic Dashboard Error

iguarino
New Member
‎12-10-2013 06:27 AM

If I try to query by IP in the traffic dashboard, I get the following error:

Error in 'TsidxStats': WHERE clause is not an exact query

Please let me know how I can resolve this error. I'm running splunk 6 on windows with the latest version Palo Alto app.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jtrivilino
Engager
‎01-16-2014 07:47 AM

Here is the solution to the issue:

Under the Palo Alto App -> Traffic Dashboard -> Edit -> Edit Source (XML)

You'll see a block of XML code towards the top defining the inputs. The issue is that there are no prefix and suffix identifiers for the first several fields (src_ip, dst_ip, dst_port, and src_user). So, we need to defined those lines of code in order for the search bars to work properly. You'll end up with a chunk of code that looks like this (replacing the [ and ] brackets with appropriate XML < and > brackets):

[input type="text" token="src_ip"]

  [label]Source IP[/label]
  [default][/default]
  [prefix]src_ip="[/prefix]
  [suffix]"[/suffix]

[/input]

[input type="text" token="dst_ip"]

  [label]Destination IP[/label]
  [default][/default]
  [prefix]dst_ip="[/prefix]
  [suffix]"[/suffix]

[/input]

[input type="text" token="dst_port"]

  [label]Destination Port[/label]
  [default][/default]
  [prefix]dst_port="[/prefix]
  [suffix]"[/suffix]

[/input]

[input type="text" token="src_user"]

  [label]Source User[/label]
  [default][/default]
  [prefix]src_user="[/prefix]
  [suffix]"[/suffix]

[/input]

Hope this helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

jtrivilino
Engager
‎01-16-2014 07:47 AM

Here is the solution to the issue:

Under the Palo Alto App -> Traffic Dashboard -> Edit -> Edit Source (XML)

You'll see a block of XML code towards the top defining the inputs. The issue is that there are no prefix and suffix identifiers for the first several fields (src_ip, dst_ip, dst_port, and src_user). So, we need to defined those lines of code in order for the search bars to work properly. You'll end up with a chunk of code that looks like this (replacing the [ and ] brackets with appropriate XML < and > brackets):

[input type="text" token="src_ip"]

  [label]Source IP[/label]
  [default][/default]
  [prefix]src_ip="[/prefix]
  [suffix]"[/suffix]

[/input]

[input type="text" token="dst_ip"]

  [label]Destination IP[/label]
  [default][/default]
  [prefix]dst_ip="[/prefix]
  [suffix]"[/suffix]

[/input]

[input type="text" token="dst_port"]

  [label]Destination Port[/label]
  [default][/default]
  [prefix]dst_port="[/prefix]
  [suffix]"[/suffix]

[/input]

[input type="text" token="src_user"]

  [label]Source User[/label]
  [default][/default]
  [prefix]src_user="[/prefix]
  [suffix]"[/suffix]

[/input]

Hope this helps!

Reply
Solved! Jump to solution

cckevin
Engager
‎01-17-2014 02:01 AM

Thanks. It solve the problem.

0 Karma
Reply
Solved! Jump to solution

cckevin
Engager
‎01-08-2014 12:00 AM

I have the same error with Splunk 6 also. Any solution??

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...