Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Lookup file: Why does scheduling the report diff in limitations from running it in free form search?

lmonahan
Path Finder
‎03-30-2022 09:05 AM

I have a lookup file that I am generating with a query.  The query results in ~59,000 rows currently.

If I run the query in the free form Splunk search then the CSV file is populated with all 59,000+ entries.

But if I schedule that query to run via a report overnight it truncates to 50,000 entries in the CSV file.  What I'm trying to reconcile about the scheduled report is:

1. Under View Recent it took 29s to run so it finished in under any 60s limit:   00:00:29

2. Under View Recent it says it found 59,633 rows for a size of 8.88MB:

3. The Job also says it finished and returned 59,633 results in 28.612 seconds

I've seen a few questions around the 50k limit and stanzas that can increase it. But my questions are:

1. Nothing in the View Recent or Job warns that it has truncated the results.

2. Why does scheduling the report diff in limitations from running it in free form search?

 

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎03-30-2022 10:31 AM

@lmonahan - Are you using the output to lookup action or outputlookup command?

Use outputlookup command once because output to lookup action from splunk could be limited by below parameter of limits.conf (I'm not 100% sure about that though.)

[scheduler]
max_action_results
Reply

lmonahan
Path Finder
‎03-31-2022 08:48 AM

Thanks for this info! 😀  I'm using outputlookup.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...