Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to store more than 50,000 results in lookup table?

Mr_person
Explorer
‎03-30-2023 10:15 AM

See title, I'm using a scheduled query to prune a set of results from a lookup table, this lookup table has over 2m results, but after the prune, it's truncated down to 50,000. This exclusively happens when I schedule the lookup table with the "replace" option. Append works perfectly.

Pruning script:

 

 

| inputlookup my_lookup.csv
| where _time > relative_time(now(),"-6m")

 

 


Pruning schedule options: 

Mr_person_1-1680196469412.png

I've tried setting the output location to both my_lookup.csv and to other lookups. In both cases, 50,000 results seems to be the limit for the replaced lookup table.

Append schedule options:

Mr_person_0-1680196438861.png

Any help is appreciated.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-30-2023 10:58 AM

Hi @Mr_person,

You are hitting the max_action_results on limits.conf which is default 50000. It is not a good idea to increase this limit to 2 million.

It seems your only option is using outputlookup in your search although it seems not safe.

limits.conf

[scheduler]
max_action_results = <integer>
* The maximum number of results to load when triggering an alert action.
* Default: 50000

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-30-2023 10:58 AM

Hi @Mr_person,

You are hitting the max_action_results on limits.conf which is default 50000. It is not a good idea to increase this limit to 2 million.

It seems your only option is using outputlookup in your search although it seems not safe.

limits.conf

[scheduler]
max_action_results = <integer>
* The maximum number of results to load when triggering an alert action.
* Default: 50000

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

Mr_person
Explorer
‎03-30-2023 10:21 AM

Also, I'm aware of the fact that I could change the report to use the outputlookup command inside of the search string, but that makes the report unsafe for others to open. For those looking for a workaround: 

| inputlookup my_lookup.csv
| where _time > relative_time(now(),"-6m")
| outputlookup my_lookup.csv append=false

 
Again this is unsafe and not ideal though. 

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...