I need to lookup the IP in a firewall log to a field in an inputcsv. The CSV file holds 50k results, so subsearches are limited. It's been recommended not to increase the subsearch event limit in limits.conf. I've thought about doing the lookup using a relational database, but I would like to do this in the Splunk environment if possible. Does anyone have any suggestions?
Have you considered lookup, will that work for what you're doing? http://docs.splunk.com/Documentation/Splunk/6.3.1/Knowledge/Addfieldsfromexternaldatasources
Have you considered lookup, will that work for what you're doing? http://docs.splunk.com/Documentation/Splunk/6.3.1/Knowledge/Addfieldsfromexternaldatasources
lookup tables with updater reports as suggested by Sundareshr.
Works way better than I had expected. Thank you!
Yes, 50K results is definitely in range of a static lookup, as @sundareshr points out