Splunk Search

Lookup file: Why does scheduling the report diff in limitations from running it in free form search?

lmonahan
Path Finder

I have a lookup file that I am generating with a query.  The query results in ~59,000 rows currently.

If I run the query in the free form Splunk search then the CSV file is populated with all 59,000+ entries.

But if I schedule that query to run via a report overnight it truncates to 50,000 entries in the CSV file.  What I'm trying to reconcile about the scheduled report is:

1. Under View Recent it took 29s to run so it finished in under any 60s limit:   00:00:29

2. Under View Recent it says it found 59,633 rows for a size of 8.88MB:

3. The Job also says it finished and returned 59,633 results in 28.612 seconds

I've seen a few questions around the 50k limit and stanzas that can increase it. But my questions are:

1. Nothing in the View Recent or Job warns that it has truncated the results.

2. Why does scheduling the report diff in limitations from running it in free form search?

 

Labels (1)
0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@lmonahan - Are you using the output to lookup action or outputlookup command?

Use outputlookup command once because output to lookup action from splunk could be limited by below parameter of limits.conf (I'm not 100% sure about that though.)

[scheduler]
max_action_results 

lmonahan
Path Finder

Thanks for this info! 😀  I'm using outputlookup.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...