Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookups to files larger than max_memtable_bytes report file only contains a header row

joebensimo
Path Finder
‎08-06-2013 11:02 AM

With Splunk v5 and v6, I have not been able to get lookups to work with CSV files that are larger than max_memtable_bytes.

When attempting to lookup, input, or output to a lookup file that is larger than max_memtable_bytes, I get an error stating that the file is empty.

For example:
Empty csv lookup file (contains only a header) for table 'agenthash.csv': /opt/splunk/etc/apps/search/lookups/agenthash.csv

In the past, I've worked around this (as advised by support) by increasing max_memtable_bytes. However, I now have some lookups that are larger than most, and some that are at risk of growing to be larger than max_memtable_bytes.

The documentation says that Splunk will index larger files on disk, but I've not yet been able to get this to work. How can I use huge lookup files?

Tags (3)
Reply

haley_swarnapat
Path Finder
‎09-16-2016 01:40 AM

If you are using Windows, there is a workaround (not real solution, but it should solve your problem)

From your start menu type and search for "ODBC Data Sources"
Create a System DSN
Add "Excel Files" data source
Choose your CSV file
Now the CSV file becomes accessible via ODBC Driver, voila!

Use Splunk DBLookup to fetch data from the DSN

0 Karma
Reply

joebensimo
Path Finder
‎07-01-2014 08:54 AM

This continues to be a problem. It appears that Splunk's functionality to index large lookup files on disk has been broken for over a year. Is this broken? Or is there something special that needs to be done to make it work?

Reply

dshpritz
SplunkTrust
SplunkTrust
‎08-11-2016 10:07 AM

What version of Splunk are you running?

0 Karma
Reply

cramasta
Builder
‎02-22-2016 06:17 PM

Whats larger than most? What do you have max_memtable_bytes set to?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...