Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

When searching a CSV import via a lookup, what should I do to work around the line limit?

christianubeda
Path Finder
‎02-04-2019 03:13 AM

Hi team!

I import a CSV file via lookup and use this search.

index=cesa_paloalto sourcetype="pan:traffic" type=TRAFFIC vendor_action=allow | join src_ip [| inputlookup append=t ipsmalware2.csv | eval src_ip=Ip]
 | stats values(src_ip)

It should match IPs, but if I write an IP in the end of the file, it never matches!

The file is 25MB and 222916 lines

Splunk has a limit? It can't read all lines, I think.

What should I do?

Thank you!

0 Karma
Reply

DanielAmlung
Path Finder
‎09-17-2019 11:52 PM

I would like to push this Question back to top. I have a similiar Problem, with importing a csv file. Splunk also "cuts" the Import after 20.000 lines. Is there some sort of max supported lines withing an csv file?

0 Karma
Reply

vishaltaneja070
Motivator
‎02-04-2019 04:29 AM

Hello @christiabubedu

There is limit of 10000 records or 60 sec on Subsearch. Thats why the events are not able to match for you.

So to avoid this situation, the best way is to use dedup or filter you data as per your need. try to use dedup for Ip in subsearch which will help you.

index=cesa_paloalto sourcetype="pan:traffic" type=TRAFFIC vendor_action=allow | join src_ip [| inputlookup append=t ipsmalware2.csv fields Ip | dedup Ip | eval src_ip= Ip]
| stats values(src_ip)
0 Karma
Reply

mayurr98
Super Champion
‎02-04-2019 03:28 AM

can you try this :

index=cesa_paloalto sourcetype="pan:traffic" type=TRAFFIC vendor_action=allow  [| inputlookup ipsmalware2.csv | table Ip | dedup Ip | rename Ip as src_ip] | stats values(src_ip)

OR 

 index=cesa_paloalto sourcetype="pan:traffic" type=TRAFFIC vendor_action=allow | search   [| inputlookup ipsmalware2.csv | table Ip | dedup Ip | rename Ip as src_ip] | stats values(src_ip)

let me know if this helps!

0 Karma
Reply

christianubeda
Path Finder
‎02-06-2019 08:14 AM

Hi sir!

It didn't work...

I introduced 5 IP's in my csv

Line 1 OK
Line 9999 OK
Line 10004 Fail
Line 12000 FAIL
Line 222333(last one) FAIL

It only read first 10000 lines I think...

I need a csv with 9 millions lines... what can I do now?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...