Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Lookup file: Why does scheduling the report diff in limitations from running it in free form search?

lmonahan
Path Finder
‎03-30-2022 09:05 AM

I have a lookup file that I am generating with a query.  The query results in ~59,000 rows currently.

If I run the query in the free form Splunk search then the CSV file is populated with all 59,000+ entries.

But if I schedule that query to run via a report overnight it truncates to 50,000 entries in the CSV file.  What I'm trying to reconcile about the scheduled report is:

1. Under View Recent it took 29s to run so it finished in under any 60s limit:   00:00:29

2. Under View Recent it says it found 59,633 rows for a size of 8.88MB:

3. The Job also says it finished and returned 59,633 results in 28.612 seconds

I've seen a few questions around the 50k limit and stanzas that can increase it. But my questions are:

1. Nothing in the View Recent or Job warns that it has truncated the results.

2. Why does scheduling the report diff in limitations from running it in free form search?

 

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎03-30-2022 10:31 AM

@lmonahan - Are you using the output to lookup action or outputlookup command?

Use outputlookup command once because output to lookup action from splunk could be limited by below parameter of limits.conf (I'm not 100% sure about that though.)

[scheduler]
max_action_results
Reply

lmonahan
Path Finder
‎03-31-2022 08:48 AM

Thanks for this info! 😀  I'm using outputlookup.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...