- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I try to query by IP in the traffic dashboard, I get the following error:
Error in 'TsidxStats': WHERE clause is not an exact query
Please let me know how I can resolve this error. I'm running splunk 6 on windows with the latest version Palo Alto app.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the solution to the issue:
Under the Palo Alto App -> Traffic Dashboard -> Edit -> Edit Source (XML)
You'll see a block of XML code towards the top defining the inputs. The issue is that there are no prefix and suffix identifiers for the first several fields (src_ip, dst_ip, dst_port, and src_user). So, we need to defined those lines of code in order for the search bars to work properly. You'll end up with a chunk of code that looks like this (replacing the [ and ] brackets with appropriate XML < and > brackets):
[input type="text" token="src_ip"]
[label]Source IP[/label]
[default][/default]
[prefix]src_ip="[/prefix]
[suffix]"[/suffix]
[/input]
[input type="text" token="dst_ip"]
[label]Destination IP[/label]
[default][/default]
[prefix]dst_ip="[/prefix]
[suffix]"[/suffix]
[/input]
[input type="text" token="dst_port"]
[label]Destination Port[/label]
[default][/default]
[prefix]dst_port="[/prefix]
[suffix]"[/suffix]
[/input]
[input type="text" token="src_user"]
[label]Source User[/label]
[default][/default]
[prefix]src_user="[/prefix]
[suffix]"[/suffix]
[/input]
Hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the solution to the issue:
Under the Palo Alto App -> Traffic Dashboard -> Edit -> Edit Source (XML)
You'll see a block of XML code towards the top defining the inputs. The issue is that there are no prefix and suffix identifiers for the first several fields (src_ip, dst_ip, dst_port, and src_user). So, we need to defined those lines of code in order for the search bars to work properly. You'll end up with a chunk of code that looks like this (replacing the [ and ] brackets with appropriate XML < and > brackets):
[input type="text" token="src_ip"]
[label]Source IP[/label]
[default][/default]
[prefix]src_ip="[/prefix]
[suffix]"[/suffix]
[/input]
[input type="text" token="dst_ip"]
[label]Destination IP[/label]
[default][/default]
[prefix]dst_ip="[/prefix]
[suffix]"[/suffix]
[/input]
[input type="text" token="dst_port"]
[label]Destination Port[/label]
[default][/default]
[prefix]dst_port="[/prefix]
[suffix]"[/suffix]
[/input]
[input type="text" token="src_user"]
[label]Source User[/label]
[default][/default]
[prefix]src_user="[/prefix]
[suffix]"[/suffix]
[/input]
Hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. It solve the problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same error with Splunk 6 also. Any solution??
