Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Incomplete search results because of lookup definition's maximum match limit in Splunk

mbasharat
Builder
‎01-28-2021 09:31 AM

Re-initiation of an older question I had asked:

 

Hi,

I have a need for an alternative of | lookup abc field1 AS field2 OUTPUT field1, fieldA, fieldB, fieldC.

For above, I have a lookup definition from a lookup that holds information about more than 50,000 vulnerabilities. I am using this lookup definition in my queries and result set is no more than 1000. 1000 is the maxmatch limit of lookup definition that Splunk supports. I need an alternative e.g. a subsearch using lookup itself or anything that allows me to do match for all the values in my lookup which is approximately 50,000 on average as efficiently as possible.

Sample query (original query is much longer but I will  be using your provided solution to consolidate)

index=ABC sourcetype="XYZ"

`comment (This is to reduce Splunk's internal fields to keep my table size smaller)`
| fields - index, source, sourcetype, splunk_server, splunk_server_group, host, eventtype, field, linecount, punct, tag, tag::eventtype, _raw

`comment (This is to limit to the only fields which I need)`
| fields dns, vuln_id

`comment (vuln_id is a multivalued field and I have to separate them to get accurate stats. When stats is run, it takes care of expanding them and it works as expected)`
| makemv delim="," vuln_id

| stats count by vuln_id, dns

| lookup vuln_info VulnID AS vuln_id OUTPUT Scan_Type, OS, Environment


The below approach is what I have tried that is not returning anything but it should. I am missing something in this:

index=ABC sourcetype="XYZ"
| fields - index, source, sourcetype, splunk_server, splunk_server_group, host, eventtype, field, linecount, punct, tag, tag::eventtype, _raw
| fields dns, vuln_id
| makemv delim="," vuln_id
| stats count by vuln_id, dns
[| inputlookup vuln_info.csv
| fields VulnID, Scan_Type, OS, Environment
| rename VulnID as vuln_id]

Any solution that will work as efficiently as possible to get all records from lookup instead of incomplete dataset due to lookup definition's maxmatch limit of 1000 in Splunk. Thanks in-advance!!!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-29-2021 09:43 PM

Hi @mbasharat,

Can you try appendpipe ?

index=ABC sourcetype="XYZ"
| fields - index, source, sourcetype, splunk_server, splunk_server_group, host, eventtype, field, linecount, punct, tag, tag::eventtype, _raw
| fields dns, vuln_id
| makemv delim="," vuln_id
| stats count by vuln_id, dns
| appendpipe
[| inputlookup max=0 vuln_info.csv
| fields VulnID, Scan_Type, OS, Environment
| rename VulnID as vuln_id]
| stats count values(dns) as dns values(Scan_Type) as Scan_Type values(OS) as OS values(Environment) as Environment by vuln_id

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-29-2021 09:43 PM

Hi @mbasharat,

Can you try appendpipe ?

index=ABC sourcetype="XYZ"
| fields - index, source, sourcetype, splunk_server, splunk_server_group, host, eventtype, field, linecount, punct, tag, tag::eventtype, _raw
| fields dns, vuln_id
| makemv delim="," vuln_id
| stats count by vuln_id, dns
| appendpipe
[| inputlookup max=0 vuln_info.csv
| fields VulnID, Scan_Type, OS, Environment
| rename VulnID as vuln_id]
| stats count values(dns) as dns values(Scan_Type) as Scan_Type values(OS) as OS values(Environment) as Environment by vuln_id

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎02-02-2021 10:45 AM

@ scelikok,

Doing some testing so will respond back shortly.

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-28-2021 10:54 AM

Hi @mbasharat,

The way you used inputlookup in your second search is not matching but filtering. Please try below;

 

index=ABC sourcetype="XYZ"
| fields - index, source, sourcetype, splunk_server, splunk_server_group, host, eventtype, field, linecount, punct, tag, tag::eventtype, _raw
| fields dns, vuln_id
| makemv delim="," vuln_id
| stats count by vuln_id, dns
| append
[| inputlookup vuln_info.csv
| fields VulnID, Scan_Type, OS, Environment
| rename VulnID as vuln_id]
| stats count values(dns) as dns values(Scan_Type) as Scan_Type values(OS) as OS values(Environment) as Environment by vuln_id

 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎01-29-2021 05:50 AM

Hi @scelikok,

Append has max results limit of 50,000. I have a lot more than this. Any join option? Thanks.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...