Splunk Search

can we increase lookup table maximum matches to 2000?

rajchi
Explorer

Lookup table max match can be 1 to 1000, I want to increase it to 2000. Is it possible? When I increase the max_matches in limits.conf then it is not taking, is there any other way to achieve this?

Tags (1)

ConsoleBotTryPC
Path Finder

Were you able to find a solution for it?

0 Karma

somesoni2
Revered Legend

The max allowed value is 1000. See the documentation for lookup definition (transforms.conf
https://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/Transformsconf#Lookup_tables

max_matches = <integer>
* The maximum number of possible matches for each input lookup value
  (range 1 - 1000)
0 Karma

rajchi
Explorer

Thanks for your reply, so there is no way I can match more than 1000 using lookup?

somesoni2
Revered Legend

I believe no

0 Karma

woodcock
Esteemed Legend

If the built-in lookup is limited to 1000, then you will have to create your own scripted lookup:

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Configureexternallookups

0 Karma

rajchi
Explorer

The maximum limit for "external lookup" is also 1000 for maximum matches. Please let me know if someone has done this before or if someone can confirm it is not possible at all.

woodcock
Esteemed Legend

First, create a lookup definition (from Settings -> Lookups -> Lookup Definitions) for you lookup file, then give it same sharing permissions as the lookup file, then in the Advanced options set the value to 2000.

0 Karma

rajchi
Explorer

Thanks for your reply, but it is not working. You can't increase the value of maximum matches above 1000 from UI lookup definition. It gives error from UI if you will try to increase it above 1000, I did try from limits.conf as well but it is not working.

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...