https://community.splunk.com/t5/Splunk-Search/Query-accessing-a-very-large-lookup-in-another-index-earliest/m-p/199231#M57672 <P>I am trying to join a very large lookup dataset (cab) with my main SPLUNK query and have the lookup data loaded into a separate index. The lookup data being used doesnt have a date element associated with it and therefore the only way to access it seems to be by using the earliest=-1y latest=now conditions.</P> <P>I have been trying to run the following query but I have the suspicion that the date windows are not getting applied to each datasource input and nothing is getting read back from the cab index and Im just getting a result set with data from ff</P> <P>(index=ff earliest=-60m latest=now) OR (index=cab earliest=-1y latest=now) | transaction UniqueID</P> <P>I have been able to get this working using a join in SPLUNK but have been reading here that sometimes a join is not the best way to do this so wanted to have a look at OR'ing the 2 data inoputs and using stats or transaction.</P> <P>index=cab earliest=-1y latest=now | join type=inner DN_STRIP [search index=ff earliest=-60m latest=now | rename num_strip as DN_STRIP] | stats count by PCP_ID1 | rename PCP_ID1 as ID | sort - count | search count&gt;5</P> <P>Any ideas would be appreciated.</P> Mon, 28 Sep 2020 17:27:31 GMT garryclarke 2020-09-28T17:27:31Z https://community.splunk.com/t5/Splunk-Search/Query-accessing-a-very-large-lookup-in-another-index-earliest/m-p/199231#M57672 <P>I am trying to join a very large lookup dataset (cab) with my main SPLUNK query and have the lookup data loaded into a separate index. The lookup data being used doesnt have a date element associated with it and therefore the only way to access it seems to be by using the earliest=-1y latest=now conditions.</P> <P>I have been trying to run the following query but I have the suspicion that the date windows are not getting applied to each datasource input and nothing is getting read back from the cab index and Im just getting a result set with data from ff</P> <P>(index=ff earliest=-60m latest=now) OR (index=cab earliest=-1y latest=now) | transaction UniqueID</P> <P>I have been able to get this working using a join in SPLUNK but have been reading here that sometimes a join is not the best way to do this so wanted to have a look at OR'ing the 2 data inoputs and using stats or transaction.</P> <P>index=cab earliest=-1y latest=now | join type=inner DN_STRIP [search index=ff earliest=-60m latest=now | rename num_strip as DN_STRIP] | stats count by PCP_ID1 | rename PCP_ID1 as ID | sort - count | search count&gt;5</P> <P>Any ideas would be appreciated.</P> Mon, 28 Sep 2020 17:27:31 GMT https://community.splunk.com/t5/Splunk-Search/Query-accessing-a-very-large-lookup-in-another-index-earliest/m-p/199231#M57672 garryclarke 2020-09-28T17:27:31Z https://community.splunk.com/t5/Splunk-Search/Query-accessing-a-very-large-lookup-in-another-index-earliest/m-p/199232#M57673 <P>All events in a Splunk index have a date associated with them - if there is none in the data, then Splunk uses the time that the data was indexed as the event time. I don't think you can set two time ranges within a single search - you can use the Search Job Inspector to see how Splunk has interpreted your first search.</P> <P>If the <CODE>cab</CODE> data is just used for lookups, why not use the Splunk lookup feature instead of indexing the data? I don't know what "a very large lookup dataset" is for you, but Splunk can handle lookup tables of over 10 million entries (based on what I see in <CODE>limits.conf</CODE>).</P> <P>Here is a link to the <A href="http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchTutorial/Usefieldlookups">Splunk tutorial on lookups</A>.<BR /> You might also benefit from David Carasso's book <A href="http://www.splunk.com/goto/book">Exploring Splunk</A>, where the final chapter is about lookups. (Book is free in electronic form).</P> Tue, 02 Sep 2014 17:55:03 GMT https://community.splunk.com/t5/Splunk-Search/Query-accessing-a-very-large-lookup-in-another-index-earliest/m-p/199232#M57673 lguinn2 2014-09-02T17:55:03Z https://community.splunk.com/t5/Splunk-Search/Query-accessing-a-very-large-lookup-in-another-index-earliest/m-p/199233#M57674 <P>Thanks lguinn i wil have a look at the lookup approach. I had this view that accessing indexed data might be faster than a lookup file but then with the difficulty of not have a time field in the cab data it makes it more complicated.<BR /> I'll prototype and compare both approaches.<BR /> The very large data lookup I refer to is approximately 2 million rows of data so I guess not big in SPLUNK terms</P> Tue, 02 Sep 2014 19:05:39 GMT https://community.splunk.com/t5/Splunk-Search/Query-accessing-a-very-large-lookup-in-another-index-earliest/m-p/199233#M57674 garryclarke 2014-09-02T19:05:39Z https://community.splunk.com/t5/Splunk-Search/Query-accessing-a-very-large-lookup-in-another-index-earliest/m-p/199234#M57675 <P>Your thinking was good about indexing - but Splunk secretly creates in-memory indexes for lookup files, even for 2 million rows. That's why lookups can be fast too.</P> Tue, 02 Sep 2014 19:28:28 GMT https://community.splunk.com/t5/Splunk-Search/Query-accessing-a-very-large-lookup-in-another-index-earliest/m-p/199234#M57675 lguinn2 2014-09-02T19:28:28Z