User Behavior search error in Tsidxstats 6.0

mwarvi · ‎11-20-2017

When I attempt to search for a user I get the error "Error in 'TsidxStats': WHERE clause is not an exact query." Our user's come from the pan in the form domain\username. The other search fields appear to work fine. If related, traffic and data events are at 0 as well.

I upgraded to 6.0 from 5.4 by straight upgrading, by "Install from file" and then did a fresh reinstall as well (was fixing other issues).

panguy · ‎12-06-2017

This has been resolved in 6.0.1

btorresgil · ‎11-20-2017

Thanks for reporting this. I filed a bug here:

https://github.com/PaloAltoNetworks/SplunkforPaloAltoNetworks/issues/65

We'll fix this in App 6.0.1. As a workaround, in the dashboard's source line 4, change $user$ to "$user|s$".

Thanks again!

mwarvi · ‎11-21-2017

Hi, I looked at the query and it's already set to $user|s$. I changed it to $user$ in case it got flip flopped, and now the search runs without error using *username.

btorresgil · ‎11-21-2017

Thanks for the feedback. If you use $user|s$ , don't forget you need the double-quotes around it: "$user|s$". That is most likely the reason for the issue. $user$ also works if you're willing to use a wildcard for the domain like you mentioned.

User Behavior search error in Tsidxstats 6.0

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?

User Behavior search error in Tsidxstats 6.0

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!