Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lookup table greater than 2GB - possible solutions?

charltones
Explorer
‎06-06-2016 04:03 AM

I have a lookup file as CSV which contains > 27 million rows and is 2GB in size. When zipped it is 500MB.

I need to lookup search results to add fields from the lookup table. Splunk complains that the lookup file is too big (error in splunk logs).

What I'd like to know is what is the best option to work around this. Things I can think of:

1) Index the lookup data and do a join or subsearch
2) Put the lookup data in a database and query it using Splunk DB connect
3) Put the lookup data in a database and query it using REST or Python (perhaps using Redis to accelerate the DB queries)

Can you advise what the best route is?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jmallorquin
Builder
‎06-06-2016 08:12 AM

Hi,

Have you try convert the csv into kv store? If your version support kvstore

Hope i help you

View solution in original post

Reply
Solved! Jump to solution
Solution

jmallorquin
Builder
‎06-06-2016 08:12 AM

Hi,

Have you try convert the csv into kv store? If your version support kvstore

Hope i help you

Reply
Solved! Jump to solution

charltones
Explorer
‎06-06-2016 10:26 AM

Looks like kvstore is the thing to use! Many thanks I wasn't aware of it until now. I've tried setting up DB Connect anyway, but this looks like a simpler route. I will give it a go.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-06-2016 08:24 AM

Now why didn't I think of that?!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-06-2016 05:55 AM

You could also split the lookup into multiple lookup files. That is probably what I would do, if it is mostly upper-bounded at this point (will not grow very much).

0 Karma
Reply
Solved! Jump to solution

charltones
Explorer
‎06-06-2016 10:28 AM

Yes this is the route I started to go down, but I will very likely need to search across multiple partitions of the data set. The most sensible partition is to split the data by country, but I will probably need to search across multiple countries.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-06-2016 08:24 AM

I change my answer to "Use KV Store".

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...