How do I fix this search to avoid- 'Error in 'SearchParser': Found circular dependency when expanding datamodel=IntrusionDetection.NetworkIDS_Attacks'
|datamodel IntrusionDetection NetworkIDSAttacks search | search index=alienvault earliest=-0d@d latest=now |eval ReportKey="today" |append [|datamodel IntrusionDetection NetworkIDSAttacks search |search index=alienvault earliest=-1d@d latest=-0d@d |eval ReportKey="yesterday" |eval time=time+86400] |timechart count by ReportKey
looks like i just need to convert to using tstats as per the subsearch documentation -
'The first command in a subsearch must be a generating command such as search, eventcount, or tstats. For a list of generating commands, see Command types in the Search Reference'
Seems to be kinda difficult to use tstats in this scenario, i think it has to do with aggregating counts before i'm ready to count by timeframe at the end of the search.
This seems to work - will need to further validate ..
|tstats count FROM datamodel=IntrusionDetection WHERE index=alienvault earliest=-1d@d latest=-0d@d by _time |eval Report="yesterday" |append [|tstats count FROM datamodel=IntrusionDetection WHERE index=alienvault earliest=-0d@d latest=now by time |eval Report="today"] |addinfo |eval _time=if(time < infomintime + 243600, _time + 243600, _time) |xyseries _time Report count
How about this
|tstats count FROM datamodel=Intrusion_Detection WHERE index=alienvault earliest=-1d@d latest=-0d@d by _time span=10m |eval Report="yesterday" | eval _time=_time + 86400 |append [|tstats count FROM datamodel=Intrusion_Detection WHERE index=alienvault earliest=-0d@d latest=now by _time span=10m |eval Report="today"] | timechart sum(count) by Report
Equivalent regular search
your base search earliest=-1d@d latest=now | eval Report=if(_time>=relative_time(now(),"@d"),"today","yesterday") | eval _time=if(_time<relative_time(now(),"@d"),_time+86400,_time) | timechart count by Report
the timewrap ( http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Timewrap ) command is now part of Splunk Enterprise, it looks like this is what you are trying to achieve, maybe that command would help and make things easier?
This doesn't answer original question and doesn't help any future Splunk users (like me) who have this same problem.