Splunk Search
Highlighted

Is there a limit on the search terms or the number of AND/OR conditions?

Explorer

I create a search query as follows:

sourcetype="websense:proxy"

| table src_host policy

| dedup src_host policy

| search NOT [inputlookup ip_white_list.csv]

The ip_white_list.csv file contains 2 columns  (policy,src_host) and 21,435 rows.

I found some src_host are not filtered out from the search result

so I want to know Is there a limit on the search terms or the number of AND/OR conditions?

Labels (1)
0 Karma
Highlighted

Re: Is there a limit on the search terms or the number of AND/OR conditions

Ultra Champion

https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches

your csv has much rows.

please modify limits.conf

0 Karma