Splunk Search

Circular dependency Issue in Data Model


Error: Error in 'SearchProcessor': Found circular dependency when expanding from.Network_Traffic.All_Traffic

Background: core is an index containing {ipAddress, score}.

When creating a data model with the following query:
`| union
[| from datamodel:"Network_Traffic.All_Traffic" | join type=left src_ip [search source=core | rename ipAddress AS src_ip] | rename src_ip as ip | stats latest(score) by ip | where score!="" and score!="null"]

[| from datamodel:"Network_Traffic.All_Traffic" | join type=left dest_ip [search source=core | rename ipAddress AS dest_ip] | rename dest_ip as ip | stats latest(score) by ip | where score!="" and score!="null"]`

I'm trying to lookup all ipAddress from the NetworkTraffic datamodel and map it with score from the core index.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!