Solved: Re: How can I fix my query for a malware dashboard... - Page 3

kokanne · ‎02-16-2018

I'm trying to fix my query for my malware dashboard, but it doesn't seem to work in any way possible, maybe I'm just not experienced enough to fix it. The query is the following:

| `tstats` count from datamodel=Malware.Malware_Attacks where * $action$ $bunit$ $category$ by _time,Malware_Attacks.action span=10m | timechart minspan=10m useother=true count by Malware_Attacks.action | `drop_dm_object_name("Malware_Attacks")`

The error:
Error in 'TsidxStats': WHERE clause is not an exact query

If anyone could tell me what I'm doing wrong, that would be great. Sorry for posting such a stupid question.

493669 · ‎02-16-2018

Firstly not required to use *(wildcard) in where clause..and what token values are setting?

View solution in original post

493669 · ‎02-16-2018

okay..now try this:

| tstats count from datamodel=Malware.Malware_Attacks where * $action$ Malware_Attacks.bunit=$bunit_form$ Malware_Attacks.category="category_form" by _time,Malware_Attacks.action span=10m 
  | timechart minspan=10m useother=true count by Malware_Attacks.action 
  | `drop_dm_object_name("Malware_Attacks")`

kokanne · ‎02-16-2018

Error in 'TsidxStats': WHERE clause is not an exact query

493669 · ‎02-16-2018

now try one by one token in query :
first try only $action$ if it works then try only Malware_Attacks.bunit=$bunit_form$ and check

kokanne · ‎02-16-2018

$action$ does not work

Malware_Attacks.bunit=$bunit_form$ works

Malware_Attacks.category="category_form" works

but both dont return any events

kokanne · ‎02-16-2018

 | tstats count from datamodel=Malware.Malware_Attacks where * Malware_Attacks.action=$action$ Malware_Attacks.bunit=$bunit_form$ Malware_Attacks.category=$category_form$ by _time,Malware_Attacks.action span=10m 
   | timechart minspan=10m useother=true count by Malware_Attacks.action 
   | `drop_dm_object_name("Malware_Attacks")`

This works but no return any events

493669 · ‎02-16-2018

are you selecting dropdown values for each dropdown and then clicking on submit and then checking query result right?

kokanne · ‎02-16-2018

theres no dropdown, not sure what you mean

493669 · ‎02-16-2018

from your xml I can see two dropdown , one text input and one time input and submit button isn't it?

493669 · ‎02-16-2018

so are you running this query directly in search?
or putting it in dashboard and then checking?

kokanne · ‎02-16-2018

search app

493669 · ‎02-16-2018

Ohhk...then how these token will get values ...it will never get...so to work above query put it in your dashboard and check

| tstats count from datamodel=Malware.Malware_Attacks where * $action$ Malware_Attacks.bunit="$bunit_form$" Malware_Attacks.category="$category_form$" by _time,Malware_Attacks.action span=10m 
   | timechart minspan=10m useother=true count by Malware_Attacks.action 
   | `drop_dm_object_name("Malware_Attacks")`

kokanne · ‎02-16-2018

doesnt seem to work for dashboard either, but my workday is done now, i will look again monday

thanks for help-

493669 · ‎02-16-2018

just paste your query what you have tried in dashboard...bye

kokanne · ‎02-18-2018

I tried:

| tstats count from datamodel=Malware.Malware_Attacks where * Malware_Attacks.bunit=$bunit$ Malware_Attacks.category=$category$ by _time,Malware_Attacks.action span=10m 
| timechart minspan=10m useother=true count by Malware_Attacks.action 
| `drop_dm_object_name("Malware_Attacks")`

But gives error in dashboard:

Comparator '=' is missing a term on the right hand side.

I don't know where?

493669 · ‎02-19-2018

as per your xml your token is $category_form$ instead of $category$

also $bunit_form$ instead of $bunit$

kokanne · ‎02-19-2018

| tstats count from datamodel=Malware.Malware_Attacks where * Malware_Attacks.bunit=$bunit_form$ Malware_Attacks.category=$category_form$ by _time,Malware_Attacks.action span=10m 
| timechart minspan=10m useother=true count by Malware_Attacks.action 
| `drop_dm_object_name("Malware_Attacks")`

Still produces same error

493669 · ‎02-19-2018

ok first try below in search app:

| tstats count from datamodel=Malware.Malware_Attacks where * by _time,Malware_Attacks.action span=10m 
     | timechart minspan=10m useother=true count by Malware_Attacks.action 
     | `drop_dm_object_name("Malware_Attacks")`

Does it working?

kokanne · ‎02-19-2018

Yes this works, but not with tokens

493669 · ‎02-19-2018

yes it will only work without tokens in search app
now go to your dashboard and edit and add below query with only one token:

 | tstats count from datamodel=Malware.Malware_Attacks where * $action$  by _time,Malware_Attacks.action span=10m 
    | timechart minspan=10m useother=true count by Malware_Attacks.action 
    | `drop_dm_object_name("Malware_Attacks")`

kokanne · ‎02-19-2018

yes is working

493669 · ‎02-19-2018

ok now add second token in it:

| tstats count from datamodel=Malware.Malware_Attacks where * $action$ Malware_Attacks.bunit=$bunit_form$  by _time,Malware_Attacks.action span=10m 
     | timechart minspan=10m useother=true count by Malware_Attacks.action 
     | `drop_dm_object_name("Malware_Attacks")`

How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes