Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How many lookup tables can I use in one splunk query?

logloganathan
Motivator
‎03-20-2018 08:57 AM

Can anyone please tell how may lookup table can I use in one particular Splunk query?

Are there any restrictions?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎03-20-2018 09:15 AM

I have not run into any restrictions. Are you asking about lookup tables that you'll use as lookups (using the lookup search command) or lookup tables that you'll use as search filters (using the inputlookup search command)? The first is likely to slow things down if you are running a lot of chained lookups, and the latter is possible to grow your search results to an unmanageable size, depending on the size of the lookup file.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-20-2018 11:42 AM

@logloganathan, how many lookup files are you planning to have? Rather than search limitation you should consider from Admin point of view as to how many lookup tables can you maintain for a single app.

What is the kind of data that your lookup tables can have and reason for several lookups to be used in single search? Can you index the lookup files and use index, source, sourcetype for correlation?

You should also consider creating KV Store for better maintenance of such kind of data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

jluo_splunk
Splunk Employee
Splunk Employee
‎03-20-2018 09:37 AM

I don't believe there is a limit - however, using many large lookups can impact your performance.

Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎03-20-2018 09:15 AM

I have not run into any restrictions. Are you asking about lookup tables that you'll use as lookups (using the lookup search command) or lookup tables that you'll use as search filters (using the inputlookup search command)? The first is likely to slow things down if you are running a lot of chained lookups, and the latter is possible to grow your search results to an unmanageable size, depending on the size of the lookup file.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...