Solved: Re: How can I fix my query for a malware dashboard...

kokanne · ‎02-16-2018

I'm trying to fix my query for my malware dashboard, but it doesn't seem to work in any way possible, maybe I'm just not experienced enough to fix it. The query is the following:

| `tstats` count from datamodel=Malware.Malware_Attacks where * $action$ $bunit$ $category$ by _time,Malware_Attacks.action span=10m | timechart minspan=10m useother=true count by Malware_Attacks.action | `drop_dm_object_name("Malware_Attacks")`

The error:
Error in 'TsidxStats': WHERE clause is not an exact query

If anyone could tell me what I'm doing wrong, that would be great. Sorry for posting such a stupid question.

493669 · ‎02-16-2018

Firstly not required to use *(wildcard) in where clause..and what token values are setting?

View solution in original post

micahkemp · ‎02-16-2018

Is this search the drilldown search for the correlation search? drilldown searches use the $field$ substitution methods, and are accessed after the notable fires via the Contributing Events (or something along those lines) link.

A drilldown search string is not something that would typically work when pasted into a search bar without said substitution.

493669 · ‎02-16-2018

Firstly not required to use *(wildcard) in where clause..and what token values are setting?

493669 · ‎02-16-2018

sorry I missed $$ around category_form please check updated query
and to work in search app try this without token:

| tstats count from datamodel=Malware.Malware_Attacks where * by _time,Malware_Attacks.action span=10m 
    | timechart minspan=10m useother=true count by Malware_Attacks.action 
    | `drop_dm_object_name("Malware_Attacks")`

kokanne · ‎02-19-2018

One question .. After update the query, the dashboard panels don't load automatically, and updating the time range etc don't reset it:

Search is waiting for input...

What can I do

@493669

493669 · ‎02-19-2018

Search is waiting for input means your token has not been set

493669 · ‎02-19-2018

are you talking about same above query?

kokanne · ‎02-19-2018

Yes, token is set, I press "submit" , but nothing happens.

493669 · ‎02-19-2018

 | tstats count from datamodel=Malware.Malware_Attacks where *  $action$ Malware_Attacks.bunit=$bunit_form$ Malware_Attacks.category=$category_form$ by _time,Malware_Attacks.action span=10m 
 | timechart minspan=10m useother=true count by Malware_Attacks.action 
 | `drop_dm_object_name("Malware_Attacks")`

have you tried this query?
might you have missed Malware_Attacks.bunit= and Malware_Attacks.category=

kokanne · ‎02-19-2018

Still says waiting for input

493669 · ‎02-19-2018

add below <table>tag

<title>$action$ token2=$bunit_form$  token3=$category_form$</title>

and check if token is set
Let me know what title is displaying?

kokanne · ‎02-19-2018

$action$ token2= token3=

493669 · ‎02-19-2018

it seems tokens are not being set and plz paste the xml

kokanne · ‎02-19-2018

  <fieldset autoRun="true" submitButton="true">
    <input type="dropdown" token="action">
      <label>Action</label>
      <choice value="">All</choice>
      <search>
        <query>| `cim_malware_actions`</query>
      </search>
      <prefix>Malware_Attacks.action="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>action</fieldForLabel>
      <fieldForValue>action</fieldForValue>
    </input>
    <input type="text" token="bunit_form">
      <label>Business Unit</label>
      <default></default>
    </input>
    <input type="dropdown" token="category_form">
      <label>Category</label>
      <choice value="">All</choice>
      <search>
        <query>| `categories`</query>
      </search>
      <fieldForLabel>category</fieldForLabel>
      <fieldForValue>category</fieldForValue>
    </input>
    <input type="time">
      <default>Last 24 hours</default>
    </input>
  </fieldset>

493669 · ‎02-19-2018

xml looks fine
try adding only one token:

| tstats count from datamodel=Malware.Malware_Attacks where *  $action$  by _time,Malware_Attacks.action span=10m 
  | timechart minspan=10m useother=true count by Malware_Attacks.action 
  | `drop_dm_object_name("Malware_Attacks")`

kokanne · ‎02-19-2018

doesnt work on dashboard even with one token

493669 · ‎02-19-2018

have you changed anything? since before it is working...also provide result of title i.e. token value for this query only add $action$ in title...
also not sure is your earliest and latest time is setting properly in query

kokanne · ‎02-19-2018

It worked this morning then I go to the dashboard again to change the other queries... and broken

kokanne · ‎02-19-2018

Just on the dashbaord, it was normal for all tokens except the business unit to be populated automatically with the "all" option, as seen in xml. but the "action" token does not get autmatically filled in anymore

493669 · ‎02-19-2018

For Action to display you need to include * value for All also add default tag

<default>*</default>
<choice value="*">All</choice>

493669 · ‎02-19-2018

once you save your dashboard after editing it , you can see similar to below link

.../en-GB/app/<app_name>/<dashboard_name>?...

you need to remove all the things (i.e. form.tokens) after ? to clear already set tokens and refresh the dashboard

How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk