Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Working with lookup tables larger than 10500.

mike-48735
Engager
‎11-12-2020 09:01 AM

I have many lookup tables that I am working with and I am using the REST API to dynamically populate the lookup tables on a dashboard drop down.  The issue I am running into is that I am trying to verify if data already exists in one of the lookup tables.  I can use the inputlookup to search the lookup files but this is restricted to the subsearch limit of 10500, many of the tables are much larger than this.  So I have two questions...

1 - How can I specify a string and use the lookup search?  I have tried variations of, which hasn't worked.

| eval search_term = item1
| lookup table1.csv item1 as column1
| search decription

 

2 - How can I use the following search to dynamically search all lookup tables and not use inputlookup to avoid the subsearch limit?

| REST /services/data/lookup-table-files splunk_server=*
| table title
| search title=*
| map search="|inputlookup $title$"
| search Column1=$search_item$
| table Column1, Column2, Column3
Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-12-2020 11:46 AM

1 - Please describe how the first search failed.  What were the expected results and what were the actual results?  Does table1.csv have a column named "description"?  Have you tried specifying a RHS in the search command?

| eval search_term = item1
| lookup table1.csv item1 as column1 OUTPUT description
| search decription=*

2 - This appears to be a different requirement from the first search.  Here we're searching all lookup files rather than just one.  Have you tried using a where clause to reduce the number of records read?

| REST /services/data/lookup-table-files splunk_server=*
| fields title
| search title=*
| map search="|inputlookup $title$ where Column1=$search_item$"
| table Column1, Column2, Column3

BTW, the fields command (table in the OP) discards all but the title field so there is no search_item available to the map command.

---
If this reply helps you, Karma would be appreciated.
Reply

mike-48735
Engager
‎11-12-2020 02:48 PM

The search doesn't fail when using this method.  

| map search="|inputlookup $title$ where Column1=$search_item$"

 Its just that the results aren't correct because some of the lookup tables are larger than the subsearch limit.  The $search_item$ is a field from the dashboard text input.

Yes all the lookup tables have a description column.  All other lookup commands work fine.

The two searches are different because search 1 is an example of what I would like to work, but example 2 is the search that works but the results are incomplete.

In reference to search 1 how can I use a lookup where I provide the value/string and it is not matched from a search?

How could I implement this as a where clause?  I am not tied to the map command it was just the method I got working but the results are not complete.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...