I am experimenting with some searches that will need to do lookups on some fairly big tables (30 MB or more). I'm wondering whether it will be faster for Splunk to do a single lookup on a really large table or if I should just chain together several lookups on smaller tables. And I'm curious how big a table can get before it should be broken down into smaller sequential lookups (if ever).
Thx.
There aren't any absolutes, but: