Splunk Search

Are there limits for lookups in regards to extracting fields from them?

Contributor

I have a lookup that recently stopped auto extracting fields. What I've noticed is that if I do a join, I can join if in the subsearch I specifically search for that row, but doing the normal lookup command gives me nothing. For example something like:

index=a sourcetype=a host=host1 | lookup host_lookup host as host output fieldA

Does not give me fieldA value for host1, however if I do:

index=a sourcetype=a host=host1 | join host [|inputlookup host_lookup | table host fieldA| search host=host1]

I get fieldA just fine in that case. So clearly it would appear to me some sort of limit is getting hit, even though I don't seem to be seeing any indication in the ui or Job inspection stating me that I am hitting a limit. Does anyone know if this is indeed a limit I'm hitting? Or is there anything else I can look into?

0 Karma

SplunkTrust
SplunkTrust

Tell us more about the lookup file. How large is it?
What changed around the time the lookup stopped working?

---
If this reply helps you, an upvote would be appreciated.
0 Karma