I do not have any admin privilege in my Splunk instance and cannot change any configuration.
Need to search an index for any value matching what's in a lookup file. The problem is the file contains 130K records and I get a maxout truncation at 10K. How do I overcome this?
If you plan to tell me to split it up into 10K files, please don't.
index="bro"
[ inputlookup bad_domains
| fields domain ]
|stats values(domain) by _time
| inputlookup bad_domains
| eval flag="csv"
| append [search index="bro"
| stats values(domain) as domain by _time
| eval flag="index"]
| stats dc(flag) as flag values(_time) as _time by domain
| where flag > 1
| table _time domain
search huge one first.
| inputlookup bad_domains
| eval flag="csv"
| append [search index="bro"
| stats values(domain) as domain by _time
| eval flag="index"]
| stats dc(flag) as flag values(_time) as _time by domain
| where flag > 1
| table _time domain
search huge one first.
Thanks to4kawa. I don't follow though. How do I fix the where comparison?
why do you fix this?