Splunk Search

Datamodel search with Datamodel Subsearch Circular Dependancy Error

jgbricker
Contributor

How do I fix this search to avoid- 'Error in 'SearchParser': Found circular dependency when expanding datamodel=Intrusion_Detection.Network_IDS_Attacks'

|datamodel Intrusion_Detection Network_IDS_Attacks search | search index=alienvault earliest=-0d@d latest=now |eval ReportKey="today" |append [|datamodel Intrusion_Detection Network_IDS_Attacks search |search index=alienvault earliest=-1d@d latest=-0d@d |eval ReportKey="yesterday" |eval _time=_time+86400] |timechart count by ReportKey

ddance_splunk
Splunk Employee
Splunk Employee

Hi

the timewrap ( http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Timewrap ) command is now part of Splunk Enterprise, it looks like this is what you are trying to achieve, maybe that command would help and make things easier?

Thanks
Darren

0 Karma

frechette
Explorer

This doesn't answer original question and doesn't help any future Splunk users (like me) who have this same problem.

jgbricker
Contributor

looks like i just need to convert to using tstats as per the subsearch documentation -

'The first command in a subsearch must be a generating command such as search, eventcount, or tstats. For a list of generating commands, see Command types in the Search Reference'

http://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Aboutsubsearches

0 Karma

jgbricker
Contributor

This seems to work - will need to further validate ..

|tstats count FROM datamodel=Intrusion_Detection WHERE index=alienvault earliest=-1d@d latest=-0d@d by _time |eval Report="yesterday" |append [|tstats count FROM datamodel=Intrusion_Detection WHERE index=alienvault earliest=-0d@d latest=now by _time |eval Report="today"] |addinfo |eval _time=if(_time < info_min_time + 24*3600, _time + 24*3600, _time) |xyseries _time Report count

0 Karma

jgbricker
Contributor

The numbers don't match the raw search even with the exact same time aggregation buckets. 😞

0 Karma

somesoni2
Revered Legend

How about this

|tstats count FROM datamodel=Intrusion_Detection WHERE index=alienvault earliest=-1d@d latest=-0d@d by _time span=10m |eval Report="yesterday" | eval _time=_time + 86400 |append [|tstats count FROM datamodel=Intrusion_Detection WHERE index=alienvault earliest=-0d@d latest=now by _time span=10m |eval Report="today"] | timechart sum(count) by Report

Equivalent regular search

your base search earliest=-1d@d latest=now | eval Report=if(_time>=relative_time(now(),"@d"),"today","yesterday")  | eval _time=if(_time<relative_time(now(),"@d"),_time+86400,_time) 
| timechart count by Report
0 Karma

jgbricker
Contributor

Seems to be kinda difficult to use tstats in this scenario, i think it has to do with aggregating counts before i'm ready to count by timeframe at the end of the search.

0 Karma