topic Re: Datamodel search with Datamodel Subsearch Circular Dependancy Error in Splunk Search

Datamodel search with Datamodel Subsearch Circular Dependancy Error

jgbricker — Tue, 29 Sep 2020 13:03:08 GMT

How do I fix this search to avoid- 'Error in 'SearchParser': Found circular dependency when expanding datamodel=Intrusion_Detection.Network_IDS_Attacks'

Re: Datamodel search with Datamodel Subsearch Circular Dependancy Error

jgbricker — Wed, 01 Mar 2017 19:48:22 GMT

looks like i just need to convert to using tstats as per the subsearch documentation -

'The first command in a subsearch must be a generating command such as search, eventcount, or tstats. For a list of generating commands, see Command types in the Search Reference'

http://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Aboutsubsearches

Re: Datamodel search with Datamodel Subsearch Circular Dependancy Error

jgbricker — Wed, 01 Mar 2017 20:34:10 GMT

Seems to be kinda difficult to use tstats in this scenario, i think it has to do with aggregating counts before i'm ready to count by timeframe at the end of the search.

Re: Datamodel search with Datamodel Subsearch Circular Dependancy Error

jgbricker — Tue, 29 Sep 2020 13:03:18 GMT

This seems to work - will need to further validate ..

|tstats count FROM datamodel=Intrusion_Detection WHERE index=alienvault earliest=-1d@d latest=-0d@d by _time |eval Report="yesterday" |append [|tstats count FROM datamodel=Intrusion_Detection WHERE index=alienvault earliest=-0d@d latest=now by _time |eval Report="today"] |addinfo |eval _time=if(_time < info_min_time + 24*3600, _time + 24*3600, _time) |xyseries _time Report count

Re: Datamodel search with Datamodel Subsearch Circular Dependancy Error

jgbricker — Wed, 01 Mar 2017 21:10:09 GMT

The numbers don't match the raw search even with the exact same time aggregation buckets. 😞

Re: Datamodel search with Datamodel Subsearch Circular Dependancy Error

somesoni2 — Wed, 01 Mar 2017 22:37:52 GMT

How about this

|tstats count FROM datamodel=Intrusion_Detection WHERE index=alienvault earliest=-1d@d latest=-0d@d by _time span=10m |eval Report="yesterday" | eval _time=_time + 86400 |append [|tstats count FROM datamodel=Intrusion_Detection WHERE index=alienvault earliest=-0d@d latest=now by _time span=10m |eval Report="today"] | timechart sum(count) by Report

Equivalent regular search

your base search earliest=-1d@d latest=now | eval Report=if(_time>=relative_time(now(),"@d"),"today","yesterday")  | eval _time=if(_time<relative_time(now(),"@d"),_time+86400,_time) 
| timechart count by Report

Re: Datamodel search with Datamodel Subsearch Circular Dependancy Error

ddance_splunk — Wed, 03 Jan 2018 13:00:57 GMT

the timewrap ( http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Timewrap ) command is now part of Splunk Enterprise, it looks like this is what you are trying to achieve, maybe that command would help and make things easier?

Thanks
Darren

Re: Datamodel search with Datamodel Subsearch Circular Dependancy Error

frechette — Sun, 30 Sep 2018 17:57:43 GMT

This doesn't answer original question and doesn't help any future Splunk users (like me) who have this same problem.