Dashboards & Visualizations

How can I fix my query for a malware dashboard, which is throwing me this error: "Error in 'TsidxStats': WHERE clause is not an exact query"?

Communicator

I'm trying to fix my query for my malware dashboard, but it doesn't seem to work in any way possible, maybe I'm just not experienced enough to fix it. The query is the following:

| `tstats` count from datamodel=Malware.Malware_Attacks where * $action$ $bunit$ $category$ by _time,Malware_Attacks.action span=10m | timechart minspan=10m useother=true count by Malware_Attacks.action | `drop_dm_object_name("Malware_Attacks")`

The error:
Error in 'TsidxStats': WHERE clause is not an exact query

If anyone could tell me what I'm doing wrong, that would be great. Sorry for posting such a stupid question.

0 Karma
1 Solution

Super Champion

Firstly not required to use *(wildcard) in where clause..and what token values are setting?

View solution in original post

Champion

Is this search the drilldown search for the correlation search? drilldown searches use the $field$ substitution methods, and are accessed after the notable fires via the Contributing Events (or something along those lines) link.

A drilldown search string is not something that would typically work when pasted into a search bar without said substitution.

0 Karma

Super Champion

Firstly not required to use *(wildcard) in where clause..and what token values are setting?

View solution in original post

Super Champion

sorry I missed $$ around category_form please check updated query
and to work in search app try this without token:

| tstats count from datamodel=Malware.Malware_Attacks where * by _time,Malware_Attacks.action span=10m 
    | timechart minspan=10m useother=true count by Malware_Attacks.action 
    | `drop_dm_object_name("Malware_Attacks")`
0 Karma

Communicator

One question .. After update the query, the dashboard panels don't load automatically, and updating the time range etc don't reset it:

Search is waiting for input...

What can I do

@493669

0 Karma

Super Champion

Search is waiting for input means your token has not been set

0 Karma

Super Champion

are you talking about same above query?

0 Karma

Communicator

Yes, token is set, I press "submit" , but nothing happens.

0 Karma

Super Champion
 | tstats count from datamodel=Malware.Malware_Attacks where *  $action$ Malware_Attacks.bunit=$bunit_form$ Malware_Attacks.category=$category_form$ by _time,Malware_Attacks.action span=10m 
 | timechart minspan=10m useother=true count by Malware_Attacks.action 
 | `drop_dm_object_name("Malware_Attacks")`

have you tried this query?
might you have missed Malware_Attacks.bunit= and Malware_Attacks.category=

0 Karma

Communicator

Still says waiting for input

0 Karma

Super Champion

add below <table>tag

<title>$action$ token2=$bunit_form$  token3=$category_form$</title>

and check if token is set
Let me know what title is displaying?

0 Karma

Communicator

$action$ token2= token3=

0 Karma

Super Champion

it seems tokens are not being set and plz paste the xml

0 Karma

Communicator
  <fieldset autoRun="true" submitButton="true">
    <input type="dropdown" token="action">
      <label>Action</label>
      <choice value="">All</choice>
      <search>
        <query>| `cim_malware_actions`</query>
      </search>
      <prefix>Malware_Attacks.action="</prefix>
      <suffix>"</suffix>
      <fieldForLabel>action</fieldForLabel>
      <fieldForValue>action</fieldForValue>
    </input>
    <input type="text" token="bunit_form">
      <label>Business Unit</label>
      <default></default>
    </input>
    <input type="dropdown" token="category_form">
      <label>Category</label>
      <choice value="">All</choice>
      <search>
        <query>| `categories`</query>
      </search>
      <fieldForLabel>category</fieldForLabel>
      <fieldForValue>category</fieldForValue>
    </input>
    <input type="time">
      <default>Last 24 hours</default>
    </input>
  </fieldset>
0 Karma

Super Champion

xml looks fine
try adding only one token:

| tstats count from datamodel=Malware.Malware_Attacks where *  $action$  by _time,Malware_Attacks.action span=10m 
  | timechart minspan=10m useother=true count by Malware_Attacks.action 
  | `drop_dm_object_name("Malware_Attacks")`
0 Karma

Communicator

doesnt work on dashboard even with one token

0 Karma

Super Champion

have you changed anything? since before it is working...also provide result of title i.e. token value for this query only add $action$ in title...
also not sure is your earliest and latest time is setting properly in query

Communicator

It worked this morning then I go to the dashboard again to change the other queries... and broken

0 Karma

Communicator

Just on the dashbaord, it was normal for all tokens except the business unit to be populated automatically with the "all" option, as seen in xml. but the "action" token does not get autmatically filled in anymore

0 Karma

Super Champion

For Action to display you need to include * value for All also add default tag

<default>*</default>
<choice value="*">All</choice>

Super Champion

once you save your dashboard after editing it , you can see similar to below link

.../en-GB/app/<app_name>/<dashboard_name>?...

you need to remove all the things (i.e. form.tokens) after ? to clear already set tokens and refresh the dashboard

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!