After upgrading to 7.3.3 from 7.0.5 these two log ERRORs are new
ERROR 2019-12-10 08:01:19.755 security TsidxStats Missing search clause after 'WHERE' keyword 1
ERROR 2019-12-10 08:01:46.309 security TsidxStats Wildcards (*) are not supported in aggregate fields 1
I found a similar log message where it mentions this is a bug.
https://answers.splunk.com/answers/593866/how-to-resolve-this-error-error-in-tsidxstats-wher-1.html
Has anyone seen these two log messages? I'm trying to gauge the significance before upgrading our production environment.
Hi,
IIRC those error generated by scheduled search Audit - Dataset Relation
from App SA-Utils
which runs at every 30 minutes and in backend it is running contentinfo_rest_handler.py
Are you running Splunk Enterprise Security ?
yes, we also upgraded Enterprise Security from 5.0.1 to 5.3.1