Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

problem with lookup command

abhayneilam
Contributor
‎03-28-2013 02:54 AM

Hi,

I am getting the following error while running a lookup command with |inputlookup :

[subsearch]: Subsearch produced 726406 results, truncating to maxout 50000.

Please let me know how to get it solved !!

Thanks,
Abhay

Tags (3)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎03-28-2013 04:39 AM

from the docs on limits.conf

[searchresults]
* This stanza controls search results for a variety of Splunk search commands.

maxresultrows = <integer>
* Configures the maximum number of events are generated by search commands which 
grow the size of your result set (such as multikv) or that create events. Other search commands are explicitly 
controlled in specific stanzas below.
* This limit should not exceed 50000. Setting this limit higher than 50000 causes instability.
* Defaults to 50000.

and also;

[subsearch]
* This stanza controls subsearch results.

maxout = <integer>
* Maximum number of results to return from a subsearch.
* This value cannot be greater than or equal to 10500.
* Defaults to 100.

So it looks like you're hitting a limit somewhere. You'd probably get better help if you provided more info on the search you're running.

/K

0 Karma
Reply

abhayneilam
Contributor
‎03-29-2013 02:15 AM

Can I get some kind of help in this, plz help !! I am seriously seeking some kind of usefull help !!

Thanks,

0 Karma
Reply

abhayneilam
Contributor
‎03-28-2013 06:53 AM

Thanks for your information, but what will happen if my results are more than 50,000 rows ?

Following query I am running to find the actual results :

|inputlookup "one_file.csv" | append [ |inputlookup "second_file.csv" ] | append [ |inputlookup "third_file.csv" ] | lookup "Master_file.csv" user_sso

Please let me know how to get rid of the above mentioned "Warning Message"

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...