All Apps and Add-ons

Palo Alto App Traffic Dashboard Error

iguarino
New Member

If I try to query by IP in the traffic dashboard, I get the following error:

Error in 'TsidxStats': WHERE clause is not an exact query

Please let me know how I can resolve this error. I'm running splunk 6 on windows with the latest version Palo Alto app.

Thanks!

0 Karma
1 Solution

jtrivilino
Engager

Here is the solution to the issue:

Under the Palo Alto App -> Traffic Dashboard -> Edit -> Edit Source (XML)

You'll see a block of XML code towards the top defining the inputs. The issue is that there are no prefix and suffix identifiers for the first several fields (src_ip, dst_ip, dst_port, and src_user). So, we need to defined those lines of code in order for the search bars to work properly. You'll end up with a chunk of code that looks like this (replacing the [ and ] brackets with appropriate XML < and > brackets):

[input type="text" token="src_ip"]

  [label]Source IP[/label]
  [default][/default]
  [prefix]src_ip="[/prefix]
  [suffix]"[/suffix]

[/input]

[input type="text" token="dst_ip"]

  [label]Destination IP[/label]
  [default][/default]
  [prefix]dst_ip="[/prefix]
  [suffix]"[/suffix]

[/input]

[input type="text" token="dst_port"]

  [label]Destination Port[/label]
  [default][/default]
  [prefix]dst_port="[/prefix]
  [suffix]"[/suffix]

[/input]

[input type="text" token="src_user"]

  [label]Source User[/label]
  [default][/default]
  [prefix]src_user="[/prefix]
  [suffix]"[/suffix]

[/input]

Hope this helps!

View solution in original post

jtrivilino
Engager

Here is the solution to the issue:

Under the Palo Alto App -> Traffic Dashboard -> Edit -> Edit Source (XML)

You'll see a block of XML code towards the top defining the inputs. The issue is that there are no prefix and suffix identifiers for the first several fields (src_ip, dst_ip, dst_port, and src_user). So, we need to defined those lines of code in order for the search bars to work properly. You'll end up with a chunk of code that looks like this (replacing the [ and ] brackets with appropriate XML < and > brackets):

[input type="text" token="src_ip"]

  [label]Source IP[/label]
  [default][/default]
  [prefix]src_ip="[/prefix]
  [suffix]"[/suffix]

[/input]

[input type="text" token="dst_ip"]

  [label]Destination IP[/label]
  [default][/default]
  [prefix]dst_ip="[/prefix]
  [suffix]"[/suffix]

[/input]

[input type="text" token="dst_port"]

  [label]Destination Port[/label]
  [default][/default]
  [prefix]dst_port="[/prefix]
  [suffix]"[/suffix]

[/input]

[input type="text" token="src_user"]

  [label]Source User[/label]
  [default][/default]
  [prefix]src_user="[/prefix]
  [suffix]"[/suffix]

[/input]

Hope this helps!

cckevin
Engager

Thanks. It solve the problem.

0 Karma

cckevin
Engager

I have the same error with Splunk 6 also. Any solution??

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...