Splunk Search

Error: Cannot expand lookup field due to a reference cycle in the lookup configuration

anapp
Explorer

OK, this is odd

Search: 

index=myindex

Works and returns a field "Name", happily listing all values of Name as expected

However any search on the name field e.g.

index=myindex Name=Fred

returns the error:

Cannot expand lookup field 'Name' due to a reference cycle in the lookup configuration. Check search.log for details and update the lookup configuration to remove the reference cycle.

Unfortunately I have no idea what to search for in the search log 

Splunk support have only pointed me to this discussion and told me to re-save a specific cisco lookup:

https://community.splunk.com/t5/Splunk-Cloud-Platform/Cannot-expand-lookup-field-due-to-a-reference-...

and it isn't that as we don't have that cisco lookup table 🙂

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

The broader issue referred to in that linked page you posted, is not specifically about Cisco, but about the resolution of field evaluations. Your Name field is being extracted by Splunk at search time and somewhere in Splunk's process of finding out what Name field should be, it is coming across the reference cycle issue described.

As ray says in that post, they recently upgraded the message from INFO to WARN. 

Have a look at the job inspector search log and look for 'cycle' as described in the post and see if that gives any clues as to why there is that issue occurring on your Name field.

Do you have any Cisco TA installed? As you are on Splunk Cloud, I would suggest you raise a ticket with Splunk asking THEM to run the btool command for you to see if they can identify the problem in your config.

 

View solution in original post

anapp
Explorer

Thanks 

Tracked down the lookup file but no obvious issue - I shall "nudge" splunks support as I was asking here due to their sluggishness 🙂

0 Karma

bowesmana
SplunkTrust
SplunkTrust

The broader issue referred to in that linked page you posted, is not specifically about Cisco, but about the resolution of field evaluations. Your Name field is being extracted by Splunk at search time and somewhere in Splunk's process of finding out what Name field should be, it is coming across the reference cycle issue described.

As ray says in that post, they recently upgraded the message from INFO to WARN. 

Have a look at the job inspector search log and look for 'cycle' as described in the post and see if that gives any clues as to why there is that issue occurring on your Name field.

Do you have any Cisco TA installed? As you are on Splunk Cloud, I would suggest you raise a ticket with Splunk asking THEM to run the btool command for you to see if they can identify the problem in your config.

 

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...