I'm trying to fix my query for my malware dashboard, but it doesn't seem to work in any way possible, maybe I'm just not experienced enough to fix it. The query is the following:
| `tstats` count from datamodel=Malware.Malware_Attacks where * $action$ $bunit$ $category$ by _time,Malware_Attacks.action span=10m | timechart minspan=10m useother=true count by Malware_Attacks.action | `drop_dm_object_name("Malware_Attacks")`
The error:
Error in 'TsidxStats': WHERE clause is not an exact query
If anyone could tell me what I'm doing wrong, that would be great. Sorry for posting such a stupid question.
Firstly not required to use *
(wildcard) in where clause..and what token values are setting?
after putting the default its working
Glad it works ☺
add $action$
in <title>
tag and check what is value is set?
Hi, the wildcard I should replace with % ?
The tokens are shown in query, action bunit and category
No, you can not replace it with %
..Do you really need wildcard here as where clause is used to to filter search results.
$action$
$bunit$
$category$
these tokens value is getting populating from different input/panel ..so In these token what values are setting .
Okay,I remove the wildcard completely
To be honest, this query was not built by me, it's part of the enterprise security dashboards, but stopped working 2 weeks ago. I would assume that its like this:
action=$action$
punct=$bunit$
category=$category$
wait ..retain * and try in query datamodel=Malware_Attacks
or datamodel=Malware
If you try only | tstats count from datamodel=Malware.Malware_Attacks
does it returning events?
| `tstats` count from datamodel=Malware_Attacks where $action$ $bunit$ $category$ by _time,Malware_Attacks.action span=10m
| timechart minspan=10m useother=true count by Malware_Attacks.action
| `drop_dm_object_name("Malware_Attacks")`
Error in 'TsidxStats': Could not find datamodel: Malware_Attacks
| `tstats` count from datamodel=Malware where $action$ $bunit$ $category$ by _time,Malware_Attacks.action span=10m
| timechart minspan=10m useother=true count by Malware_Attacks.action
| `drop_dm_object_name("Malware_Attacks")`
Error in 'TsidxStats': WHERE clause is not an exact query
try running query in parts and check when you are receiving error?
| tstats count from datamodel=Malware.Malware_Attacks
and then try to run
| tstats count from datamodel=Malware.Malware_Attacks where * $action$ $bunit$ $category$
| `tstats` count from datamodel=Malware.Malware_Attacks by _time,Malware_Attacks.action span=10m
| timechart minspan=10m useother=true count by Malware_Attacks.action
| `drop_dm_object_name("Malware_Attacks")`
Runs fine, returns 31 Statistics
Results are not accurate, returns null values for when there should be events
| tstats count from datamodel=Malware.Malware_Attacks where * $action$ $bunit$ $category$ by _time,Malware_Attacks.action span=10m
| timechart minspan=10m useother=true count by Malware_Attacks.action
| `drop_dm_object_name("Malware_Attacks")`
Does not run: Error in 'TsidxStats': WHERE clause is not an exact query
The problem, I think, is with the tokens, but I don't know how to fix
and if try this then?
| tstats count from datamodel=Malware.Malware_Attacks where * by _time,Malware_Attacks.action span=10m
| timechart minspan=10m useother=true count by Malware_Attacks.action
| `drop_dm_object_name("Malware_Attacks")`
Works, returns more events, as well on the day today when there should be, but very long it is on null from timeframe 2 weeks
so when you are adding tokens it gives an error right?
Yes that is correct, the tokens make error
so add these token in <title>$action$ $bunit$ $category$</title>
your xml and check what values are being set there?
I put it in the xml , do not see displayed, what do ?
have you put below <table>
?
sorry, my bad. this is what i see:
it seems no token value is getting set
is there any token=bunit
like present in your xml?
not sure if they dont have any values then why are these tokens are used..
Like said, it's from enterprise security, when i look at XML , i can tell that "bunit" is for business unit .. look
<fieldset autoRun="true" submitButton="true">
<input type="dropdown" token="action">
<label>Action</label>
<choice value="">All</choice>
<populatingSearch fieldForValue="action" fieldForLabel="action">| `cim_malware_actions`</populatingSearch>
<default></default>
<prefix>Malware_Attacks.action="</prefix>
<suffix>"</suffix>
</input>
<input type="text" token="bunit_form">
<label>Business Unit</label>
<default></default>
</input>
<input type="dropdown" token="category_form">
<label>Category</label>
<choice value="">All</choice>
<populatingSearch fieldForValue="category" fieldForLabel="category">| `categories`</populatingSearch>
<default></default>
</input>
<input type="time">
<default>Last 24 hours</default>
</input>
</fieldset>