https://community.splunk.com/t5/Splunk-Search/Avoiding-CSV-lookup-replication-errors/m-p/402166#M116392 <P>The problem isn’t going to be fixed by “dribbling in” the csv one piece at a time. </P> <P>Depending on the version of splunk you have limits.conf on the search heads and indexers will have a default setting of 800MB or 2GB for search bundle replication (I think it’s 2GB since 6.6). </P> <P>You’re going over that limit by x MEgabytes when you upload the csv... and causing the issue.</P> <P>There are several solutions documented for this.</P> <OL> <LI>Increase the limits (just know it affects network bandwidth. See search bundle replication settings in limits.conf - you can’t do this via UI as far as I know.</LI> <LI>Reduce the size and or number of existing lookups</LI> <LI>you can probably do this</LI> <LI>Index the data via the web UI and use join, append, etc (using an “OR” condition is better than joins, google how to join without join in splunk)</LI> <LI>you can probably do this</LI> </OL> Tue, 26 Jun 2018 12:54:58 GMT jkat54 2018-06-26T12:54:58Z https://community.splunk.com/t5/Splunk-Search/Avoiding-CSV-lookup-replication-errors/m-p/402164#M116390 <P>I've got a medium-sized (50MB) CSV lookup file with two columns (email address and server name) that I want to use. I tried a straight upload and managed to put down our Splunk instance because replication failed and blocked all searches. Can I dribble the file in 100K lines at a time using <CODE>outputlookup append=t</CODE>? Or does the replication just take the whole lookup bundle and try and replicate everything? </P> <P><STRONG>Please note</STRONG>: I do not have access to the file system; whatever the solution is, I have to be able to do it from Splunk Web.</P> <P>Thanks!</P> Sat, 23 Jun 2018 20:37:31 GMT https://community.splunk.com/t5/Splunk-Search/Avoiding-CSV-lookup-replication-errors/m-p/402164#M116390 Kenshiro70 2018-06-23T20:37:31Z https://community.splunk.com/t5/Splunk-Search/Avoiding-CSV-lookup-replication-errors/m-p/402165#M116391 <P>Hi There,</P> <P>That seems a tad bit more than a medium size csv you have there, how many records have you got within it? Have you looked into utilising a KV store instead?</P> Tue, 26 Jun 2018 11:01:19 GMT https://community.splunk.com/t5/Splunk-Search/Avoiding-CSV-lookup-replication-errors/m-p/402165#M116391 paulbannister 2018-06-26T11:01:19Z https://community.splunk.com/t5/Splunk-Search/Avoiding-CSV-lookup-replication-errors/m-p/402166#M116392 <P>The problem isn’t going to be fixed by “dribbling in” the csv one piece at a time. </P> <P>Depending on the version of splunk you have limits.conf on the search heads and indexers will have a default setting of 800MB or 2GB for search bundle replication (I think it’s 2GB since 6.6). </P> <P>You’re going over that limit by x MEgabytes when you upload the csv... and causing the issue.</P> <P>There are several solutions documented for this.</P> <OL> <LI>Increase the limits (just know it affects network bandwidth. See search bundle replication settings in limits.conf - you can’t do this via UI as far as I know.</LI> <LI>Reduce the size and or number of existing lookups</LI> <LI>you can probably do this</LI> <LI>Index the data via the web UI and use join, append, etc (using an “OR” condition is better than joins, google how to join without join in splunk)</LI> <LI>you can probably do this</LI> </OL> Tue, 26 Jun 2018 12:54:58 GMT https://community.splunk.com/t5/Splunk-Search/Avoiding-CSV-lookup-replication-errors/m-p/402166#M116392 jkat54 2018-06-26T12:54:58Z