Solved: Re: How can I fix my query for a malware dashboard... - Page 2

kokanne · ‎02-16-2018

I'm trying to fix my query for my malware dashboard, but it doesn't seem to work in any way possible, maybe I'm just not experienced enough to fix it. The query is the following:

| `tstats` count from datamodel=Malware.Malware_Attacks where * $action$ $bunit$ $category$ by _time,Malware_Attacks.action span=10m | timechart minspan=10m useother=true count by Malware_Attacks.action | `drop_dm_object_name("Malware_Attacks")`

The error:
Error in 'TsidxStats': WHERE clause is not an exact query

If anyone could tell me what I'm doing wrong, that would be great. Sorry for posting such a stupid question.

493669 · ‎02-16-2018

Firstly not required to use *(wildcard) in where clause..and what token values are setting?

View solution in original post

kokanne · ‎02-19-2018

after putting the default its working

493669 · ‎02-19-2018

Glad it works ☺

493669 · ‎02-19-2018

add $action$ in <title> tag and check what is value is set?

kokanne · ‎02-16-2018

Hi, the wildcard I should replace with % ?
The tokens are shown in query, action bunit and category

493669 · ‎02-16-2018

No, you can not replace it with %..Do you really need wildcard here as where clause is used to to filter search results.
$action$ $bunit$ $category$ these tokens value is getting populating from different input/panel ..so In these token what values are setting .

kokanne · ‎02-16-2018

Okay,I remove the wildcard completely

To be honest, this query was not built by me, it's part of the enterprise security dashboards, but stopped working 2 weeks ago. I would assume that its like this:

action=$action$
punct=$bunit$
category=$category$

493669 · ‎02-16-2018

wait ..retain * and try in query datamodel=Malware_Attacksor datamodel=Malware
If you try only | tstats count from datamodel=Malware.Malware_Attacks does it returning events?

kokanne · ‎02-16-2018

| `tstats` count from datamodel=Malware_Attacks where $action$ $bunit$ $category$ by _time,Malware_Attacks.action span=10m 
| timechart minspan=10m useother=true count by Malware_Attacks.action 
| `drop_dm_object_name("Malware_Attacks")`

Error in 'TsidxStats': Could not find datamodel: Malware_Attacks

| `tstats` count from datamodel=Malware where $action$ $bunit$ $category$ by _time,Malware_Attacks.action span=10m 
| timechart minspan=10m useother=true count by Malware_Attacks.action 
| `drop_dm_object_name("Malware_Attacks")`

Error in 'TsidxStats': WHERE clause is not an exact query

493669 · ‎02-16-2018

try running query in parts and check when you are receiving error?

 | tstats count from datamodel=Malware.Malware_Attacks

and then try to run

| tstats count from datamodel=Malware.Malware_Attacks where * $action$ $bunit$ $category$

kokanne · ‎02-16-2018

| `tstats` count from datamodel=Malware.Malware_Attacks by _time,Malware_Attacks.action span=10m 
| timechart minspan=10m useother=true count by Malware_Attacks.action 
| `drop_dm_object_name("Malware_Attacks")`

Runs fine, returns 31 Statistics
Results are not accurate, returns null values for when there should be events

 | tstats count from datamodel=Malware.Malware_Attacks where * $action$ $bunit$ $category$ by _time,Malware_Attacks.action span=10m 
| timechart minspan=10m useother=true count by Malware_Attacks.action 
| `drop_dm_object_name("Malware_Attacks")`

Does not run: Error in 'TsidxStats': WHERE clause is not an exact query

The problem, I think, is with the tokens, but I don't know how to fix

493669 · ‎02-16-2018

and if try this then?

 | tstats count from datamodel=Malware.Malware_Attacks where *  by _time,Malware_Attacks.action span=10m 
 | timechart minspan=10m useother=true count by Malware_Attacks.action 
 | `drop_dm_object_name("Malware_Attacks")`

kokanne · ‎02-16-2018

Works, returns more events, as well on the day today when there should be, but very long it is on null from timeframe 2 weeks

493669 · ‎02-16-2018

so when you are adding tokens it gives an error right?

kokanne · ‎02-16-2018

Yes that is correct, the tokens make error

493669 · ‎02-16-2018

so add these token in <title>$action$ $bunit$ $category$</title> your xml and check what values are being set there?

kokanne · ‎02-16-2018

I put it in the xml , do not see displayed, what do ?

493669 · ‎02-16-2018

have you put below <table> ?

kokanne · ‎02-16-2018

sorry, my bad. this is what i see:

493669 · ‎02-16-2018

it seems no token value is getting set

493669 · ‎02-16-2018

is there any token=bunitlike present in your xml?
not sure if they dont have any values then why are these tokens are used..

kokanne · ‎02-16-2018

Like said, it's from enterprise security, when i look at XML , i can tell that "bunit" is for business unit .. look

  <fieldset autoRun="true" submitButton="true">
    <input type="dropdown" token="action">
      <label>Action</label>
      <choice value="">All</choice>
      <populatingSearch fieldForValue="action" fieldForLabel="action">| `cim_malware_actions`</populatingSearch>
      <default></default>
      <prefix>Malware_Attacks.action="</prefix>
      <suffix>"</suffix>
    </input>
    <input type="text" token="bunit_form">
      <label>Business Unit</label>
      <default></default>
    </input>
    <input type="dropdown" token="category_form">
      <label>Category</label>
      <choice value="">All</choice>
      <populatingSearch fieldForValue="category" fieldForLabel="category">| `categories`</populatingSearch>
      <default></default>
    </input>
    <input type="time">
      <default>Last 24 hours</default>
    </input>
  </fieldset>

How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation