Re: User Behavior search error in Tsidxstats 6.0

mwarvi · ‎11-20-2017

When I attempt to search for a user I get the error "Error in 'TsidxStats': WHERE clause is not an exact query." Our user's come from the pan in the form domain\username. The other search fields appear to work fine. If related, traffic and data events are at 0 as well.

I upgraded to 6.0 from 5.4 by straight upgrading, by "Install from file" and then did a fresh reinstall as well (was fixing other issues).

panguy · ‎12-06-2017

This has been resolved in 6.0.1

btorresgil · ‎11-20-2017

Thanks for reporting this. I filed a bug here:

https://github.com/PaloAltoNetworks/SplunkforPaloAltoNetworks/issues/65

We'll fix this in App 6.0.1. As a workaround, in the dashboard's source line 4, change $user$ to "$user|s$".

Thanks again!

mwarvi · ‎11-21-2017

Hi, I looked at the query and it's already set to $user|s$. I changed it to $user$ in case it got flip flopped, and now the search runs without error using *username.

btorresgil · ‎11-21-2017

Thanks for the feedback. If you use $user|s$ , don't forget you need the double-quotes around it: "$user|s$". That is most likely the reason for the issue. $user$ also works if you're willing to use a wildcard for the domain like you mentioned.

User Behavior search error in Tsidxstats 6.0

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation