Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookups to files larger than max_memtable_bytes report file only contains a header row

joebensimo
Path Finder
‎08-06-2013 11:02 AM

With Splunk v5 and v6, I have not been able to get lookups to work with CSV files that are larger than max_memtable_bytes.

When attempting to lookup, input, or output to a lookup file that is larger than max_memtable_bytes, I get an error stating that the file is empty.

For example:
Empty csv lookup file (contains only a header) for table 'agenthash.csv': /opt/splunk/etc/apps/search/lookups/agenthash.csv

In the past, I've worked around this (as advised by support) by increasing max_memtable_bytes. However, I now have some lookups that are larger than most, and some that are at risk of growing to be larger than max_memtable_bytes.

The documentation says that Splunk will index larger files on disk, but I've not yet been able to get this to work. How can I use huge lookup files?

Tags (3)
Reply

haley_swarnapat
Path Finder
‎09-16-2016 01:40 AM

If you are using Windows, there is a workaround (not real solution, but it should solve your problem)

From your start menu type and search for "ODBC Data Sources"
Create a System DSN
Add "Excel Files" data source
Choose your CSV file
Now the CSV file becomes accessible via ODBC Driver, voila!

Use Splunk DBLookup to fetch data from the DSN

0 Karma
Reply

joebensimo
Path Finder
‎07-01-2014 08:54 AM

This continues to be a problem. It appears that Splunk's functionality to index large lookup files on disk has been broken for over a year. Is this broken? Or is there something special that needs to be done to make it work?

Reply

dshpritz
SplunkTrust
SplunkTrust
‎08-11-2016 10:07 AM

What version of Splunk are you running?

0 Karma
Reply

cramasta
Builder
‎02-22-2016 06:17 PM

Whats larger than most? What do you have max_memtable_bytes set to?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...