Splunk Search

Are there limits for lookups in regards to extracting fields from them?


I have a lookup that recently stopped auto extracting fields. What I've noticed is that if I do a join, I can join if in the subsearch I specifically search for that row, but doing the normal lookup command gives me nothing. For example something like:

index=a sourcetype=a host=host1 | lookup host_lookup host as host output fieldA

Does not give me fieldA value for host1, however if I do:

index=a sourcetype=a host=host1 | join host [|inputlookup host_lookup | table host fieldA| search host=host1]

I get fieldA just fine in that case. So clearly it would appear to me some sort of limit is getting hit, even though I don't seem to be seeing any indication in the ui or Job inspection stating me that I am hitting a limit. Does anyone know if this is indeed a limit I'm hitting? Or is there anything else I can look into?

0 Karma


Tell us more about the lookup file. How large is it?
What changed around the time the lookup stopped working?

If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...