Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to store more than 50,000 results in lookup table?

Mr_person
Explorer
‎03-30-2023 10:15 AM

See title, I'm using a scheduled query to prune a set of results from a lookup table, this lookup table has over 2m results, but after the prune, it's truncated down to 50,000. This exclusively happens when I schedule the lookup table with the "replace" option. Append works perfectly.

Pruning script:

 

 

| inputlookup my_lookup.csv
| where _time > relative_time(now(),"-6m")

 

 


Pruning schedule options: 

Mr_person_1-1680196469412.png

I've tried setting the output location to both my_lookup.csv and to other lookups. In both cases, 50,000 results seems to be the limit for the replaced lookup table.

Append schedule options:

Mr_person_0-1680196438861.png

Any help is appreciated.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-30-2023 10:58 AM

Hi @Mr_person,

You are hitting the max_action_results on limits.conf which is default 50000. It is not a good idea to increase this limit to 2 million.

It seems your only option is using outputlookup in your search although it seems not safe.

limits.conf

[scheduler]
max_action_results = <integer>
* The maximum number of results to load when triggering an alert action.
* Default: 50000

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-30-2023 10:58 AM

Hi @Mr_person,

You are hitting the max_action_results on limits.conf which is default 50000. It is not a good idea to increase this limit to 2 million.

It seems your only option is using outputlookup in your search although it seems not safe.

limits.conf

[scheduler]
max_action_results = <integer>
* The maximum number of results to load when triggering an alert action.
* Default: 50000

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

Mr_person
Explorer
‎03-30-2023 10:21 AM

Also, I'm aware of the fact that I could change the report to use the outputlookup command inside of the search string, but that makes the report unsafe for others to open. For those looking for a workaround: 

| inputlookup my_lookup.csv
| where _time > relative_time(now(),"-6m")
| outputlookup my_lookup.csv append=false

 
Again this is unsafe and not ideal though. 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...