Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Working with lookup tables larger than 10500.

mike-48735
Engager
‎11-12-2020 09:01 AM

I have many lookup tables that I am working with and I am using the REST API to dynamically populate the lookup tables on a dashboard drop down.  The issue I am running into is that I am trying to verify if data already exists in one of the lookup tables.  I can use the inputlookup to search the lookup files but this is restricted to the subsearch limit of 10500, many of the tables are much larger than this.  So I have two questions...

1 - How can I specify a string and use the lookup search?  I have tried variations of, which hasn't worked.

| eval search_term = item1
| lookup table1.csv item1 as column1
| search decription

 

2 - How can I use the following search to dynamically search all lookup tables and not use inputlookup to avoid the subsearch limit?

| REST /services/data/lookup-table-files splunk_server=*
| table title
| search title=*
| map search="|inputlookup $title$"
| search Column1=$search_item$
| table Column1, Column2, Column3
Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-12-2020 11:46 AM

1 - Please describe how the first search failed.  What were the expected results and what were the actual results?  Does table1.csv have a column named "description"?  Have you tried specifying a RHS in the search command?

| eval search_term = item1
| lookup table1.csv item1 as column1 OUTPUT description
| search decription=*

2 - This appears to be a different requirement from the first search.  Here we're searching all lookup files rather than just one.  Have you tried using a where clause to reduce the number of records read?

| REST /services/data/lookup-table-files splunk_server=*
| fields title
| search title=*
| map search="|inputlookup $title$ where Column1=$search_item$"
| table Column1, Column2, Column3

BTW, the fields command (table in the OP) discards all but the title field so there is no search_item available to the map command.

---
If this reply helps you, Karma would be appreciated.
Reply

mike-48735
Engager
‎11-12-2020 02:48 PM

The search doesn't fail when using this method.  

| map search="|inputlookup $title$ where Column1=$search_item$"

 Its just that the results aren't correct because some of the lookup tables are larger than the subsearch limit.  The $search_item$ is a field from the dashboard text input.

Yes all the lookup tables have a description column.  All other lookup commands work fine.

The two searches are different because search 1 is an example of what I would like to work, but example 2 is the search that works but the results are incomplete.

In reference to search 1 how can I use a lookup where I provide the value/string and it is not matched from a search?

How could I implement this as a where clause?  I am not tied to the map command it was just the method I got working but the results are not complete.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...