Dashboards & Visualizations

How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

kokanne
Communicator

I'm trying to fix my query for my malware dashboard, but it doesn't seem to work in any way possible, maybe I'm just not experienced enough to fix it. The query is the following:

| `tstats` count from datamodel=Malware.Malware_Attacks where * $action$ $bunit$ $category$ by _time,Malware_Attacks.action span=10m | timechart minspan=10m useother=true count by Malware_Attacks.action | `drop_dm_object_name("Malware_Attacks")`

The error:
Error in 'TsidxStats': WHERE clause is not an exact query

If anyone could tell me what I'm doing wrong, that would be great. Sorry for posting such a stupid question.

0 Karma
1 Solution

493669
Super Champion

Firstly not required to use *(wildcard) in where clause..and what token values are setting?

View solution in original post

kokanne
Communicator

So look, I put this in my dashboard

| tstats count from datamodel=Malware.Malware_Attacks where * $action$ $bunit_form$ $category_form$ by _time,Malware_Attacks.action span=10m 
     | timechart minspan=10m useother=true count by Malware_Attacks.action 
     | `drop_dm_object_name("Malware_Attacks")`

and this works fine so ,I think that's all I need right

0 Karma

kokanne
Communicator

you did not post an answer yet can you do that so ican accept it thank you

0 Karma

493669
Super Champion

Glad to help:) Please accept the answer and upvote the comments which helped you..

0 Karma

kokanne
Communicator

thank you!

0 Karma

493669
Super Champion

yes :slightly_smiling_face: that's it.

0 Karma

493669
Super Champion

try this:

| tstats count from datamodel=Malware.Malware_Attacks where * action bunit category by _time,Malware_Attacks.action span=10m 
 | timechart minspan=10m useother=true count by Malware_Attacks.action 
 | `drop_dm_object_name("Malware_Attacks")`

kokanne
Communicator

Is executing the search, but does not return any events

0 Karma

493669
Super Champion

also I am assuming sign ` around tstats is a typo

0 Karma

kokanne
Communicator

I don't make the query, so I have no idea, it is from enterprise security dashboard

0 Karma

493669
Super Champion

so is their any sign around |tstatscommand?

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...