Splunk Search

Is there any result limit of CIDR() in lookup?

yutaka1005
Builder

I want to add AS number to ip by using some geo data.
This data has column AS number and network like below.

AS_number,network
xxxxx,10.0.0.0/24

I uploaded this data as lookup, and configured lookup definitions with CIDR(network).
Then I tried some ip addresses like below, but it didn't work.

| makeresults count=2 
| streamstats count as c 
| eval network=if(c=1,"2001:4860:4860::8844","216.58.197.131")
| lookup Geo_AS_Lookup network OUTPUT

So I extracted only the lines with the following two networks matching the test addresses, and created a lookup table and lookup definition newly.

AS_number,network
xxxxx,2001:4860:4840::/42
yyyyy,216.58.192.0/19

Then it began to match well.
I wonder is there result limit of lookup?(* Because this lookup has about 440000 rows.)

If someone knows about it, please tell me.

additional info

Apparently the size is more concerned than the number of rows.

I made two pieces of data as below and found that the size of less than 10 MB matched well.

sample_geo.csv 27MB (500000 rows with 3 columns)
sample_geo_2.csv 8.95MB (500000 rows with 2 columns)

0 Karma
1 Solution

HiroshiSatoh
Champion

このリンクは見ましたか?max_memtable_bytesについての記述があります。

https://answers.splunk.com/answers/8228/lookup-table-limits.html

View solution in original post

0 Karma

HiroshiSatoh
Champion

このリンクは見ましたか?max_memtable_bytesについての記述があります。

https://answers.splunk.com/answers/8228/lookup-table-limits.html

0 Karma

yutaka1005
Builder

limits.confに以下の設定をしたら、うまく動きました。

[lookup]
max_memtable_bytes = 20000000

仕様なんですかね…。

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...