Splunk Search

Are there limits for lookups in regards to extracting fields from them?


I have a lookup that recently stopped auto extracting fields. What I've noticed is that if I do a join, I can join if in the subsearch I specifically search for that row, but doing the normal lookup command gives me nothing. For example something like:

index=a sourcetype=a host=host1 | lookup host_lookup host as host output fieldA

Does not give me fieldA value for host1, however if I do:

index=a sourcetype=a host=host1 | join host [|inputlookup host_lookup | table host fieldA| search host=host1]

I get fieldA just fine in that case. So clearly it would appear to me some sort of limit is getting hit, even though I don't seem to be seeing any indication in the ui or Job inspection stating me that I am hitting a limit. Does anyone know if this is indeed a limit I'm hitting? Or is there anything else I can look into?

0 Karma


Tell us more about the lookup file. How large is it?
What changed around the time the lookup stopped working?

If this reply helps you, an upvote would be appreciated.
0 Karma