Splunk Enterprise Security

Splunk App for Enterprise Security: Where to change the setting for lookup table maximum allowable value?

grambo271
Explorer

Greetings... I'm still very junior to the world of Splunk so I thought I'd reach out to the community for a little direction. We are running the Enterprise Security Suite 3x version on Splunk 6.1.3. I have noticed the following messsage is generated daily:

"msg="A lookup table used in a CIDR or WILDCARD definition exceeds the maximum allowable value" file="asn_by_cidr.csv" size="14690788" limit="10000000"

I have tried (with little success) to find out where this size limit is defined. Has anyone else seen this error and if so, could you suggest where to change this setting?

Thanks in advance

1 Solution

Nicolo_Figiani
Path Finder

Hi,
I had the same problem (on ES 3.1 and Splunk 6.1.3). I solved the issue by editing the following configuration file:

/opt/splunk/etc/system/local/limits.conf

In particular, I've added the following snippet of configuration:

[lookup]
max_memtable_bytes = 100000000

The increase of "max_memtable_bytes" will make the error message to stop appearing and will make Splunk working without trouble.

Regards.

View solution in original post

Nicolo_Figiani
Path Finder

Hi,
I had the same problem (on ES 3.1 and Splunk 6.1.3). I solved the issue by editing the following configuration file:

/opt/splunk/etc/system/local/limits.conf

In particular, I've added the following snippet of configuration:

[lookup]
max_memtable_bytes = 100000000

The increase of "max_memtable_bytes" will make the error message to stop appearing and will make Splunk working without trouble.

Regards.

grambo271
Explorer

Thank you both. The addition of the [lookup] stanza seems to have fixed the issue.

Appreciate your assistance!!

0 Karma

rfaircloth_splu
Splunk Employee
Splunk Employee

Notes this must be system local you can't include this setting in an app

DerekKing
Path Finder

I think you'll find all global default limits, in the /etc/system/defaults/limits.conf file.

Take a copy of it into the local directory, and then make your changes.

Regards
Derek

Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...