I'm trying to fix my query for my malware dashboard, but it doesn't seem to work in any way possible, maybe I'm just not experienced enough to fix it. The query is the following:
| `tstats` count from datamodel=Malware.Malware_Attacks where * $action$ $bunit$ $category$ by _time,Malware_Attacks.action span=10m | timechart minspan=10m useother=true count by Malware_Attacks.action | `drop_dm_object_name("Malware_Attacks")`
The error:
Error in 'TsidxStats': WHERE clause is not an exact query
If anyone could tell me what I'm doing wrong, that would be great. Sorry for posting such a stupid question.
Firstly not required to use *
(wildcard) in where clause..and what token values are setting?
okay..now try this:
| tstats count from datamodel=Malware.Malware_Attacks where * $action$ Malware_Attacks.bunit=$bunit_form$ Malware_Attacks.category="category_form" by _time,Malware_Attacks.action span=10m
| timechart minspan=10m useother=true count by Malware_Attacks.action
| `drop_dm_object_name("Malware_Attacks")`
Error in 'TsidxStats': WHERE clause is not an exact query
now try one by one token in query :
first try only $action$
if it works then try only Malware_Attacks.bunit=$bunit_form$
and check
$action$ does not work
Malware_Attacks.bunit=$bunit_form$ works
Malware_Attacks.category="category_form" works
but both dont return any events
| tstats count from datamodel=Malware.Malware_Attacks where * Malware_Attacks.action=$action$ Malware_Attacks.bunit=$bunit_form$ Malware_Attacks.category=$category_form$ by _time,Malware_Attacks.action span=10m
| timechart minspan=10m useother=true count by Malware_Attacks.action
| `drop_dm_object_name("Malware_Attacks")`
This works but no return any events
are you selecting dropdown values for each dropdown and then clicking on submit and then checking query result right?
theres no dropdown, not sure what you mean
from your xml I can see two dropdown , one text input and one time input and submit button isn't it?
so are you running this query directly in search?
or putting it in dashboard and then checking?
search app
Ohhk...then how these token will get values ...it will never get...so to work above query put it in your dashboard and check
| tstats count from datamodel=Malware.Malware_Attacks where * $action$ Malware_Attacks.bunit="$bunit_form$" Malware_Attacks.category="$category_form$" by _time,Malware_Attacks.action span=10m
| timechart minspan=10m useother=true count by Malware_Attacks.action
| `drop_dm_object_name("Malware_Attacks")`
doesnt seem to work for dashboard either, but my workday is done now, i will look again monday
thanks for help-
just paste your query what you have tried in dashboard...bye
I tried:
| tstats count from datamodel=Malware.Malware_Attacks where * Malware_Attacks.bunit=$bunit$ Malware_Attacks.category=$category$ by _time,Malware_Attacks.action span=10m
| timechart minspan=10m useother=true count by Malware_Attacks.action
| `drop_dm_object_name("Malware_Attacks")`
But gives error in dashboard:
Comparator '=' is missing a term on the right hand side.
I don't know where?
as per your xml your token is $category_form$
instead of $category$
also $bunit_form$
instead of $bunit$
| tstats count from datamodel=Malware.Malware_Attacks where * Malware_Attacks.bunit=$bunit_form$ Malware_Attacks.category=$category_form$ by _time,Malware_Attacks.action span=10m
| timechart minspan=10m useother=true count by Malware_Attacks.action
| `drop_dm_object_name("Malware_Attacks")`
Still produces same error
ok first try below in search app:
| tstats count from datamodel=Malware.Malware_Attacks where * by _time,Malware_Attacks.action span=10m
| timechart minspan=10m useother=true count by Malware_Attacks.action
| `drop_dm_object_name("Malware_Attacks")`
Does it working?
Yes this works, but not with tokens
yes it will only work without tokens in search app
now go to your dashboard and edit and add below query with only one token:
| tstats count from datamodel=Malware.Malware_Attacks where * $action$ by _time,Malware_Attacks.action span=10m
| timechart minspan=10m useother=true count by Malware_Attacks.action
| `drop_dm_object_name("Malware_Attacks")`
yes is working
ok now add second token in it:
| tstats count from datamodel=Malware.Malware_Attacks where * $action$ Malware_Attacks.bunit=$bunit_form$ by _time,Malware_Attacks.action span=10m
| timechart minspan=10m useother=true count by Malware_Attacks.action
| `drop_dm_object_name("Malware_Attacks")`