- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Datamodel search with Datamodel Subsearch Circular...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Datamodel search with Datamodel Subsearch Circular Dependancy Error
How do I fix this search to avoid- 'Error in 'SearchParser': Found circular dependency when expanding datamodel=Intrusion_Detection.Network_IDS_Attacks'
|datamodel Intrusion_Detection Network_IDS_Attacks search | search index=alienvault earliest=-0d@d latest=now |eval ReportKey="today" |append [|datamodel Intrusion_Detection Network_IDS_Attacks search |search index=alienvault earliest=-1d@d latest=-0d@d |eval ReportKey="yesterday" |eval _time=_time+86400] |timechart count by ReportKey
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
the timewrap ( http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Timewrap ) command is now part of Splunk Enterprise, it looks like this is what you are trying to achieve, maybe that command would help and make things easier?
Thanks
Darren
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This doesn't answer original question and doesn't help any future Splunk users (like me) who have this same problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
looks like i just need to convert to using tstats as per the subsearch documentation -
'The first command in a subsearch must be a generating command such as search, eventcount, or tstats. For a list of generating commands, see Command types in the Search Reference'
http://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Aboutsubsearches
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This seems to work - will need to further validate ..
|tstats count FROM datamodel=Intrusion_Detection WHERE index=alienvault earliest=-1d@d latest=-0d@d by _time |eval Report="yesterday" |append [|tstats count FROM datamodel=Intrusion_Detection WHERE index=alienvault earliest=-0d@d latest=now by _time |eval Report="today"] |addinfo |eval _time=if(_time < info_min_time + 24*3600, _time + 24*3600, _time) |xyseries _time Report count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The numbers don't match the raw search even with the exact same time aggregation buckets. 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this
|tstats count FROM datamodel=Intrusion_Detection WHERE index=alienvault earliest=-1d@d latest=-0d@d by _time span=10m |eval Report="yesterday" | eval _time=_time + 86400 |append [|tstats count FROM datamodel=Intrusion_Detection WHERE index=alienvault earliest=-0d@d latest=now by _time span=10m |eval Report="today"] | timechart sum(count) by Report
Equivalent regular search
your base search earliest=-1d@d latest=now | eval Report=if(_time>=relative_time(now(),"@d"),"today","yesterday") | eval _time=if(_time<relative_time(now(),"@d"),_time+86400,_time)
| timechart count by Report
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems to be kinda difficult to use tstats in this scenario, i think it has to do with aggregating counts before i'm ready to count by timeframe at the end of the search.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
