@Yemi_SplunkThanks for your post on this. We are on Version: 8.2.2104.1 I've had a look at the logs again but I can't enough information to identify the lookup that is causing the problem. The search that gives this error is searching for a specific UserId in Office 365 data. When I run the search I get the warning: warn : Cannot expand lookup field 'UserId' due to a reference cycle in the lookup configuration. Rewrite the lookup configuration to remove the reference cycle. And in search.log I get this: 07-27-2021 11:34:41.648 INFO SearchEvaluatorBasedExpander [13577 searchOrchestrator] - Performing lookup expansions 07-27-2021 11:34:41.648 WARN AutoLookupDriver [13577 searchOrchestrator] - Detected a cycle: fieldname=UserId, visitedFields=UserId 07-27-2021 11:34:41.648 WARN AutoLookupDriver [13577 searchOrchestrator] - sid:fe0545bbe5a575d7_tmp Cannot expand lookup field 'UserId' due to a reference cycle in the lookup configuration. Rewrite the lookup configuration to remove the reference cycle. 07-27-2021 11:34:41.648 INFO SearchEvaluatorBasedExpander [13577 searchOrchestrator] - Lookup expansion took 0 ms   I can't see the name of the problem lookup. Am I missing something obvious or doing something wrong? @rayl  I didn't see the post about 8.2.2105 until after I posted the above. I eagerly await the update to our Splunk Cloud instance! ... View more

@johnhuang  Thanks for your message. That explains why the problem with the 'user' field went away as I had updated the Salesforce App some time after finding the problem. I still have the problem with 'UserId' in our Office 365 index though I can work around that by using the 'user' field which has the same data. I too have been looking in search.log but I am unable to tell which lookup is causing the problem. I get "Reading schema for lookup table" for about every lookup we have and that is followed by: 06-30-2021 10:58:54.127 INFO SearchEvaluatorBasedExpander [14716 searchOrchestrator] - Performing lookup expansions 06-30-2021 10:58:54.128 WARN AutoLookupDriver [14716 searchOrchestrator] - Detected a cycle: fieldname=UserId, visitedFields=UserId 06-30-2021 10:58:54.128 WARN AutoLookupDriver [14716 searchOrchestrator] - sid:1625050733.210543 Cannot expand lookup field 'UserId' due to a reference cycle in the lookup configuration. Rewrite the lookup configuration to remove the reference cycle. Is there a way to tell which lookup is causing the problem? @rayl  says above that Splunk are looking into whether they can make the message more actionable but at present I can't see a way to identify the problem lookup. ... View more

@rayl  Thanks for the background information. It helps to understand what's going on. I no longer get the warning with the 'user' field in wineventlog data (I don't know why that problem has disappeared) but I do still get it on the 'UserId' field in office365. With office365 data I find that with the time picker set to 30 days searches on the 'UserId' field take a very long time and scan millions of events whereas searches on the 'user' field take only a second or two and scan just hundreds of events. The two field names reference the same data so it makes a good comparison. However with all the various lookups created by the add-ons it is not easy to find what is causing the problem. I really need to know the names of the lookups involved. Is there any way of getting that information? Thanks. ... View more

@jmyers I think you're right about the automatic lookups. I have this in the search log 03-18-2021 16:35:08.065 INFO SearchEvaluatorBasedExpander [20232 searchOrchestrator] - Performing lookup expansions 03-18-2021 16:35:08.065 WARN AutoLookupDriver [20232 searchOrchestrator] - Detected a cycle: fieldname=UserId, visitedFields=UserId,user 03-18-2021 16:35:08.065 WARN AutoLookupDriver [20232 searchOrchestrator] - sid:1616085307.16530 Cannot expand lookup field 'user' due to a reference cycle in the lookup configuration. Rewrite the lookup configuration to remove the reference cycle. But I've yet to find the lookup that is causing the problem.     ... View more

Not an answer, but I am seeing the same problem with the 'user' field in wineventlog data. But if I change my search to use the Logon_Account field instead then I get the same results but without the warning. (Though Logon_Account is only present because I'm just looking at records where EventCode=4776.) There does not seem to be any problem the results, it is only a warning and not an error. But I would like to know for sure what is causing it. I should add, we are using Splunk Cloud 8.1.2101.2 ... View more

This is a late answer but I was in this position and could not find the answer anywhere so maybe this will document it for someone else who is searching. If SAML SSO is already set up (as the question states) and you are using Azure AD then what you need to do is to add the users to the Azure AD group that has been created to give access to Splunk. You don't need to do anything in Splunk. I did also do "Reload authentication configuration" under Access controls, Authentication method, but I don't think that was necessary. The users do not appear in the Splunk user list until they have logged in. ... View more