Hi @kaeleyt Use the Splunk lookup feature by saving Dataset 2 (ip-to-hostname mapping) as a CSV lookup file and then using the lookup command to enrich Dataset 1. This fully bypasses subsearch, joi...
See more...
Hi @kaeleyt Use the Splunk lookup feature by saving Dataset 2 (ip-to-hostname mapping) as a CSV lookup file and then using the lookup command to enrich Dataset 1. This fully bypasses subsearch, join, and append limits. Create CSV lookup table from Dataset 2 index=my_hosts
| stats values(hostname) as hostname by ip
| outputlookup ip_to_hostname.csv Join Dataset 1 and lookup to enrich logs with hostnames index=my_logs
| stats count by ip
| lookup ip_to_hostname.csv ip OUTPUT hostname
| table ip, count, hostname The lookup command does not have the same limiting factors as join, append, or subsearch for reasonable file sizes, you could use either CSV or kvstore lookups. If Dataset 2 changes regularly you could overwrite the lookup via a scheduled search. For very large lookups, Splunk recommends KV store lookups for scale, but CSV lookups generally perform well up to 1M+ rows. Confirm that the field names (ip, hostname) match exactly between lookup and base data. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing