Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Avoiding CSV lookup replication errors

Kenshiro70
Path Finder
‎06-23-2018 01:37 PM

I've got a medium-sized (50MB) CSV lookup file with two columns (email address and server name) that I want to use. I tried a straight upload and managed to put down our Splunk instance because replication failed and blocked all searches. Can I dribble the file in 100K lines at a time using outputlookup append=t? Or does the replication just take the whole lookup bundle and try and replicate everything?

Please note: I do not have access to the file system; whatever the solution is, I have to be able to do it from Splunk Web.

Thanks!

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-26-2018 05:54 AM

The problem isn’t going to be fixed by “dribbling in” the csv one piece at a time.

Depending on the version of splunk you have limits.conf on the search heads and indexers will have a default setting of 800MB or 2GB for search bundle replication (I think it’s 2GB since 6.6).

You’re going over that limit by x MEgabytes when you upload the csv... and causing the issue.

There are several solutions documented for this.

  1. Increase the limits (just know it affects network bandwidth. See search bundle replication settings in limits.conf - you can’t do this via UI as far as I know.
  2. Reduce the size and or number of existing lookups
  3. you can probably do this
  4. Index the data via the web UI and use join, append, etc (using an “OR” condition is better than joins, google how to join without join in splunk)
  5. you can probably do this
0 Karma
Reply

paulbannister
Communicator
‎06-26-2018 04:01 AM

Hi There,

That seems a tad bit more than a medium size csv you have there, how many records have you got within it? Have you looked into utilising a KV store instead?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...