I'm trying to fix my query for my malware dashboard, but it doesn't seem to work in any way possible, maybe I'm just not experienced enough to fix it. The query is the following:
| `tstats` count from datamodel=Malware.Malware_Attacks where * $action$ $bunit$ $category$ by _time,Malware_Attacks.action span=10m | timechart minspan=10m useother=true count by Malware_Attacks.action | `drop_dm_object_name("Malware_Attacks")`
The error:
Error in 'TsidxStats': WHERE clause is not an exact query
If anyone could tell me what I'm doing wrong, that would be great. Sorry for posting such a stupid question.
Firstly not required to use *
(wildcard) in where clause..and what token values are setting?
Is this search the drilldown search
for the correlation search? drilldown searches
use the $field$
substitution methods, and are accessed after the notable fires via the Contributing Events (or something along those lines) link.
A drilldown search
string is not something that would typically work when pasted into a search bar without said substitution.
Firstly not required to use *
(wildcard) in where clause..and what token values are setting?
sorry I missed $$ around category_form please check updated query
and to work in search app try this without token:
| tstats count from datamodel=Malware.Malware_Attacks where * by _time,Malware_Attacks.action span=10m
| timechart minspan=10m useother=true count by Malware_Attacks.action
| `drop_dm_object_name("Malware_Attacks")`
One question .. After update the query, the dashboard panels don't load automatically, and updating the time range etc don't reset it:
Search is waiting for input...
What can I do
@493669
Search is waiting for input means your token has not been set
are you talking about same above query?
Yes, token is set, I press "submit" , but nothing happens.
| tstats count from datamodel=Malware.Malware_Attacks where * $action$ Malware_Attacks.bunit=$bunit_form$ Malware_Attacks.category=$category_form$ by _time,Malware_Attacks.action span=10m
| timechart minspan=10m useother=true count by Malware_Attacks.action
| `drop_dm_object_name("Malware_Attacks")`
have you tried this query?
might you have missed Malware_Attacks.bunit=
and Malware_Attacks.category=
Still says waiting for input
add below <table>
tag
<title>$action$ token2=$bunit_form$ token3=$category_form$</title>
and check if token is set
Let me know what title is displaying?
$action$ token2= token3=
it seems tokens are not being set and plz paste the xml
<fieldset autoRun="true" submitButton="true">
<input type="dropdown" token="action">
<label>Action</label>
<choice value="">All</choice>
<search>
<query>| `cim_malware_actions`</query>
</search>
<prefix>Malware_Attacks.action="</prefix>
<suffix>"</suffix>
<fieldForLabel>action</fieldForLabel>
<fieldForValue>action</fieldForValue>
</input>
<input type="text" token="bunit_form">
<label>Business Unit</label>
<default></default>
</input>
<input type="dropdown" token="category_form">
<label>Category</label>
<choice value="">All</choice>
<search>
<query>| `categories`</query>
</search>
<fieldForLabel>category</fieldForLabel>
<fieldForValue>category</fieldForValue>
</input>
<input type="time">
<default>Last 24 hours</default>
</input>
</fieldset>
xml looks fine
try adding only one token:
| tstats count from datamodel=Malware.Malware_Attacks where * $action$ by _time,Malware_Attacks.action span=10m
| timechart minspan=10m useother=true count by Malware_Attacks.action
| `drop_dm_object_name("Malware_Attacks")`
doesnt work on dashboard even with one token
have you changed anything? since before it is working...also provide result of title i.e. token value for this query only add $action$ in title...
also not sure is your earliest and latest time is setting properly in query
It worked this morning then I go to the dashboard again to change the other queries... and broken
Just on the dashbaord, it was normal for all tokens except the business unit to be populated automatically with the "all" option, as seen in xml. but the "action" token does not get autmatically filled in anymore
For Action to display you need to include * value for All also add default tag
<default>*</default>
<choice value="*">All</choice>
once you save your dashboard after editing it , you can see similar to below link
.../en-GB/app/<app_name>/<dashboard_name>?...
you need to remove all the things (i.e. form.tokens) after ?
to clear already set tokens and refresh the dashboard