https://community.splunk.com/t5/Splunk-Search/Lookup-table-greater-than-2GB-possible-solutions/m-p/281280#M84849 <P>I change my answer to "Use KV Store".</P> Mon, 06 Jun 2016 15:24:23 GMT woodcock 2016-06-06T15:24:23Z https://community.splunk.com/t5/Splunk-Search/Lookup-table-greater-than-2GB-possible-solutions/m-p/281276#M84845 <P>I have a lookup file as CSV which contains &gt; 27 million rows and is 2GB in size. When zipped it is 500MB.</P> <P>I need to lookup search results to add fields from the lookup table. Splunk complains that the lookup file is too big (error in splunk logs).</P> <P>What I'd like to know is what is the best option to work around this. Things I can think of:</P> <P>1) Index the lookup data and do a join or subsearch<BR /> 2) Put the lookup data in a database and query it using Splunk DB connect<BR /> 3) Put the lookup data in a database and query it using REST or Python (perhaps using Redis to accelerate the DB queries)</P> <P>Can you advise what the best route is?</P> Mon, 06 Jun 2016 11:03:14 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-table-greater-than-2GB-possible-solutions/m-p/281276#M84845 charltones 2016-06-06T11:03:14Z https://community.splunk.com/t5/Splunk-Search/Lookup-table-greater-than-2GB-possible-solutions/m-p/281277#M84846 <P>You could also split the lookup into multiple lookup files. That is probably what I would do, if it is mostly upper-bounded at this point (will not grow very much).</P> Mon, 06 Jun 2016 12:55:19 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-table-greater-than-2GB-possible-solutions/m-p/281277#M84846 woodcock 2016-06-06T12:55:19Z https://community.splunk.com/t5/Splunk-Search/Lookup-table-greater-than-2GB-possible-solutions/m-p/281278#M84847 <P>Hi,</P> <P>Have you try convert the csv into kv store? If your version support kvstore</P> <P>Hope i help you</P> Mon, 06 Jun 2016 15:12:24 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-table-greater-than-2GB-possible-solutions/m-p/281278#M84847 jmallorquin 2016-06-06T15:12:24Z https://community.splunk.com/t5/Splunk-Search/Lookup-table-greater-than-2GB-possible-solutions/m-p/281279#M84848 <P>Now why didn't I think of that?!</P> Mon, 06 Jun 2016 15:24:05 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-table-greater-than-2GB-possible-solutions/m-p/281279#M84848 woodcock 2016-06-06T15:24:05Z https://community.splunk.com/t5/Splunk-Search/Lookup-table-greater-than-2GB-possible-solutions/m-p/281280#M84849 <P>I change my answer to "Use KV Store".</P> Mon, 06 Jun 2016 15:24:23 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-table-greater-than-2GB-possible-solutions/m-p/281280#M84849 woodcock 2016-06-06T15:24:23Z https://community.splunk.com/t5/Splunk-Search/Lookup-table-greater-than-2GB-possible-solutions/m-p/281281#M84850 <P>Looks like kvstore is the thing to use! Many thanks I wasn't aware of it until now. I've tried setting up DB Connect anyway, but this looks like a simpler route. I will give it a go.</P> Mon, 06 Jun 2016 17:26:26 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-table-greater-than-2GB-possible-solutions/m-p/281281#M84850 charltones 2016-06-06T17:26:26Z https://community.splunk.com/t5/Splunk-Search/Lookup-table-greater-than-2GB-possible-solutions/m-p/281282#M84851 <P>Yes this is the route I started to go down, but I will very likely need to search across multiple partitions of the data set. The most sensible partition is to split the data by country, but I will probably need to search across multiple countries.</P> Mon, 06 Jun 2016 17:28:36 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-table-greater-than-2GB-possible-solutions/m-p/281282#M84851 charltones 2016-06-06T17:28:36Z