OK, this is odd Search:  index=myindex Works and returns a field "Name", happily listing all values of Name as expected However any search on the name field e.g. index=myindex Name=Fred returns the error: Cannot expand lookup field 'Name' due to a reference cycle in the lookup configuration. Check search.log for details and update the lookup configuration to remove the reference cycle. Unfortunately I have no idea what to search for in the search log  Splunk support have only pointed me to this discussion and told me to re-save a specific cisco lookup: https://community.splunk.com/t5/Splunk-Cloud-Platform/Cannot-expand-lookup-field-due-to-a-reference-cycle-in-the/m-p/543455 and it isn't that as we don't have that cisco lookup table

I have a props conf file that is not parsing data as i expected. I can see in the raw log that the IIS log has the header information in it.    [sourcetype] DATETIME_CONFIG = INDEXED_EXTRACTIONS = w3c LINE_BREAKER = ([\r\n]+) MAX_TIMESTAMP_LOOKAHEAD = 32 NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Web description = W3C Extended log format produced by the Microsoft Internet Information Services (IIS) web server detect_trailing_nulls = auto disabled = false pulldown_type = true   When i manual upload the log file and assigning it to it will parse out the log with the same settings.   [sourcetypeA] DATETIME_CONFIG = INDEXED_EXTRACTIONS = w3c LINE_BREAKER = ([\r\n]+) MAX_TIMESTAMP_LOOKAHEAD = 32 NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Web description = W3C Extended log format produced by the Microsoft Internet Information Services (IIS) web server detect_trailing_nulls = auto disabled = false pulldown_type = true   This props is on the searchhead were i am searching the data. The IIS logs is being capture via a UF.   Has anyone run into this before?

Hi Everyone, I am new to Splunk. Could someone help me and provide the search for the below query: That would be Great!! I have a search which gives below results by doing comparison of last week and current week and it shows the count of each status in weekly manner. Date Active Inactive Deleted Added 09/10/21 50 20 5 20   I will be sending the above result to lookup file every week data to provide the summary.(| outputlookup append=true summary.csv) The lookup file looks like below after 3 weeks. Date Active Inactive Deleted Added 09/10/2021 50 20 5 20 16/10/2021 55 15 10 30 23/10/2021 60 10 8 15   Date column keeps on growing dynamically each week,  always I need to  calculate difference between last two column and create new column to tell the difference. The result am expecting is below.    Status 09/10/2021 16/10/2021 23/10/2021 Difference b/w last 2 columns Active 50 55 60 5 Inactive 20 15 10 -5 Deleted 5 10 8 -2 Added 20 30 15 -15

Hello Splunkers, I need help with Network Security Group flow logs where  each of the tuples should be a single event  with other relevant data for an event. Sample.log _raw: {"time":"2021-10-25T16:17:50.8670851Z","systemId":"1c5751f4-8686-4ea5-82ee-173b64d401dd","macAddress":"xxxxxxxxxx","category":"NetworkSecurityGroupFlowEvent","resourceId":"/SUBSCRIPTIONS/A80612A2-33D6-47FF-817A-283E8BC8EDD2/RESOURCEGROUPS/C-SAP-EUS-NONPROD-01-INT-NETWORKING-RG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DATA-INT-SUBNET-NSG","operationName":"NetworkSecurityGroupFlowEvents","properties":{"Version":2,"flows":[{"rule":"DefaultRule_AllowVnetOutBound","flows":[{"mac":"000D3A57248C","flowTuples":["1635178607,,10.123.2.28,46058,9997,T,O,A,E,1,74,1,60","1635178607,10.115.34.31,10.123.2.18,29128,9997,T,O,A,E,19,7292,16,1227","1635178609,10.115.34.31,10.119.241.5,26540,9997,T,O,A,E,47,54806,64,4395","1635178612,10.115.34.31,13.69.239.72,56024,443,T,O,A,B,,,,","1635178613,10.115.34.31,13.69.239.72,56026,443,T,O,A,B,,,,","1635178614,10.115.34.31,10.192.124.221,56488,80,T,O,A,B,,,,","1635178618,10.115.34.31,13.69.239.72,56024,443,T,O,A,E,8,1158,8,4897"]}]},{"rule":"UserRule_AzAppSubnet_access_toAzDBSubnet_Catch-all","flows":[{"mac":"000D3A57248C","flowTuples":["1635178635,10.115.32.28,10.115.34.31,54322,33015,T,I,A,B,,,,"]}]}]}} Json format    category: NetworkSecurityGroupFlowEvent    macAddress: xxxxxxxxxx    operationName: NetworkSecurityGroupFlowEvents    properties: { [-]      Version: 2      flows: [ [-]        { [-]          flows: [ [-]            { [-]              flowTuples: [ [-]                1635172376,ip1,ip2,58636,443,T,O,A,E,6,1611,1,66                1635172377,ip1,ip2,27910,443,T,O,A,B,,,,                1635172377,ip1,ip2,59136,443,T,O,A,E,0,0,0,0                1635172378,ip1,ip2,56756,9997,T,O,A,B,,,,                1635172378,ip1,ip2,58686,9997,T,O,A,B,,,,                1635172379,ip1,ip2,53684,9997,T,O,A,B,,,, Result: Event 1: category: NetworkSecurityGroupFlowEvent    macAddress: xxxxxxxxxx    operationName: NetworkSecurityGroupFlowEvents    properties: { [-]      Version: 2      flows: [ [-]        { [-]          flows: [ [-]            { [-]              flowTuples: [ [-]                1635172376,ip1,ip2,58636,443,T,O,A,E,6,1611,1,66               Event2: category: NetworkSecurityGroupFlowEvent    macAddress: xxxxxxxxxx    operationName: NetworkSecurityGroupFlowEvents    properties: { [-]      Version: 2      flows: [ [-]        { [-]          flows: [ [-]            { [-]              flowTuples: [ [-]               1635172377,ip1,ip2,27910,443,T,O,A,B,,,,                 Thanks

I'm trying to use the map command and it seems to fail when I try using some functions within the subsearch (specifically: cidrmatch()).    This search returns a correctly-populated table of all the fields except for the "matches" field which is just empty  index=my_index earliest=-5m | table _time src_ip | map search=" | search index=my_other_index  earliest=-6h | rename id as id2 | dedup id2 | eval searchip=$src_ip$ | eval matches=if(cidrmatch(cidr_block, searchip), "true", "false") | table id2 searchip matches cidr_block" Note: my goal is to join two searches but not based on a common field, based on cidrmatching ips from one search to the cidrblocks in the other. I don't want to use lookup tables as I want both to be dynamic.