Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Working with lookup tables larger than 10500.

mike-48735
Engager
‎11-12-2020 09:01 AM

I have many lookup tables that I am working with and I am using the REST API to dynamically populate the lookup tables on a dashboard drop down.  The issue I am running into is that I am trying to verify if data already exists in one of the lookup tables.  I can use the inputlookup to search the lookup files but this is restricted to the subsearch limit of 10500, many of the tables are much larger than this.  So I have two questions...

1 - How can I specify a string and use the lookup search?  I have tried variations of, which hasn't worked.

| eval search_term = item1
| lookup table1.csv item1 as column1
| search decription

 

2 - How can I use the following search to dynamically search all lookup tables and not use inputlookup to avoid the subsearch limit?

| REST /services/data/lookup-table-files splunk_server=*
| table title
| search title=*
| map search="|inputlookup $title$"
| search Column1=$search_item$
| table Column1, Column2, Column3
Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-12-2020 11:46 AM

1 - Please describe how the first search failed.  What were the expected results and what were the actual results?  Does table1.csv have a column named "description"?  Have you tried specifying a RHS in the search command?

| eval search_term = item1
| lookup table1.csv item1 as column1 OUTPUT description
| search decription=*

2 - This appears to be a different requirement from the first search.  Here we're searching all lookup files rather than just one.  Have you tried using a where clause to reduce the number of records read?

| REST /services/data/lookup-table-files splunk_server=*
| fields title
| search title=*
| map search="|inputlookup $title$ where Column1=$search_item$"
| table Column1, Column2, Column3

BTW, the fields command (table in the OP) discards all but the title field so there is no search_item available to the map command.

---
If this reply helps you, Karma would be appreciated.
Reply

mike-48735
Engager
‎11-12-2020 02:48 PM

The search doesn't fail when using this method.  

| map search="|inputlookup $title$ where Column1=$search_item$"

 Its just that the results aren't correct because some of the lookup tables are larger than the subsearch limit.  The $search_item$ is a field from the dashboard text input.

Yes all the lookup tables have a description column.  All other lookup commands work fine.

The two searches are different because search 1 is an example of what I would like to work, but example 2 is the search that works but the results are incomplete.

In reference to search 1 how can I use a lookup where I provide the value/string and it is not matched from a search?

How could I implement this as a where clause?  I am not tied to the map command it was just the method I got working but the results are not complete.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...