Splunk Search

Does the lookup command have a limit

klim
Path Finder

I am currently using a lookup to find matching IDs in my data. The lookup table is like 400k rows and if I use inputlookup with a join or append there is a limit to the amount of rows that is searched for from the lookup table.

I am now using just the command "lookup" to find the matching data and it works without any truncating warnings but I'm wondering if there is a limit for this command similar to subsearches. I can't seem to find anything in the lookup documentation.

sample search index=some_index | lookup users_list.csv ID OUTPUTNEW username

I output a new variable so that I can do " search username=*" since username is a new field and that will give me only matching IDs in my lookup table.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The lookup command does not have a (practical) limit.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The lookup command does not have a (practical) limit.

---
If this reply helps you, Karma would be appreciated.
0 Karma

klim
Path Finder

What do you mean by (pratical)?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

One that you are likely to run into.  There's bound to be some sort of limit in the code, but nothing that an ordinary lookup file is going to hit.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...