Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When do I move Lookup files to a KVstore? How big is the limit of the Lookup File before moving it to a KVstore? Please.

SamHTexas
Builder
‎09-16-2021 02:08 PM

Also please guide me on how to optimize my Lookups for more efficiency. When does one use Lookups vs KVstores? Thank u very much

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
Esteemed Legend
‎09-17-2021 12:22 AM

Hi @SamHTexas,

if you're using the outputlookup command you have the limit of 10,000 results

In addition I have in mind the limit of 50,000 rows, but I don't remember where I saw this.

Anyway, in the choose between csv and KV Store you should have in mind two thing:

  • number of rows,
  • staticity.

if you have a static  tavble you can use csv, if you have a frequently modified table, it's better to use KV Store.

About number of rows, until some thousands of rows (1000, 2000) I continue to use csv, then I'd pass to KV store.

In addition, if you have to update some fields of some rows (as a db), it's easier to use KV Store because the table unique key is managed by Splunk.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
Esteemed Legend
‎09-17-2021 12:22 AM

Hi @SamHTexas,

if you're using the outputlookup command you have the limit of 10,000 results

In addition I have in mind the limit of 50,000 rows, but I don't remember where I saw this.

Anyway, in the choose between csv and KV Store you should have in mind two thing:

  • number of rows,
  • staticity.

if you have a static  tavble you can use csv, if you have a frequently modified table, it's better to use KV Store.

About number of rows, until some thousands of rows (1000, 2000) I continue to use csv, then I'd pass to KV store.

In addition, if you have to update some fields of some rows (as a db), it's easier to use KV Store because the table unique key is managed by Splunk.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of Splunk APM’s and Splunk RUM’s streaming infrastructure in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...