Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to store more than 50,000 results in lookup table?

Mr_person
Explorer
‎03-30-2023 10:15 AM

See title, I'm using a scheduled query to prune a set of results from a lookup table, this lookup table has over 2m results, but after the prune, it's truncated down to 50,000. This exclusively happens when I schedule the lookup table with the "replace" option. Append works perfectly.

Pruning script:

 

 

| inputlookup my_lookup.csv
| where _time > relative_time(now(),"-6m")

 

 


Pruning schedule options: 

Mr_person_1-1680196469412.png

I've tried setting the output location to both my_lookup.csv and to other lookups. In both cases, 50,000 results seems to be the limit for the replaced lookup table.

Append schedule options:

Mr_person_0-1680196438861.png

Any help is appreciated.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-30-2023 10:58 AM

Hi @Mr_person,

You are hitting the max_action_results on limits.conf which is default 50000. It is not a good idea to increase this limit to 2 million.

It seems your only option is using outputlookup in your search although it seems not safe.

limits.conf

[scheduler]
max_action_results = <integer>
* The maximum number of results to load when triggering an alert action.
* Default: 50000

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-30-2023 10:58 AM

Hi @Mr_person,

You are hitting the max_action_results on limits.conf which is default 50000. It is not a good idea to increase this limit to 2 million.

It seems your only option is using outputlookup in your search although it seems not safe.

limits.conf

[scheduler]
max_action_results = <integer>
* The maximum number of results to load when triggering an alert action.
* Default: 50000

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

Mr_person
Explorer
‎03-30-2023 10:21 AM

Also, I'm aware of the fact that I could change the report to use the outputlookup command inside of the search string, but that makes the report unsafe for others to open. For those looking for a workaround: 

| inputlookup my_lookup.csv
| where _time > relative_time(now(),"-6m")
| outputlookup my_lookup.csv append=false

 
Again this is unsafe and not ideal though. 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...