can we increase lookup table maximum matches to 20...

rajchi · ‎07-15-2016

Lookup table max match can be 1 to 1000, I want to increase it to 2000. Is it possible? When I increase the max_matches in limits.conf then it is not taking, is there any other way to achieve this?

ConsoleBotTryPC · ‎11-21-2023

Were you able to find a solution for it?

somesoni2 · ‎07-15-2016

The max allowed value is 1000. See the documentation for lookup definition (transforms.conf
https://docs.splunk.com/Documentation/Splunk/6.4.1/Admin/Transformsconf#Lookup_tables

max_matches = <integer>
* The maximum number of possible matches for each input lookup value
  (range 1 - 1000)

rajchi · ‎07-15-2016

Thanks for your reply, so there is no way I can match more than 1000 using lookup?

somesoni2 · ‎07-15-2016

I believe no

woodcock · ‎07-15-2016

If the built-in lookup is limited to 1000, then you will have to create your own scripted lookup:

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Configureexternallookups

rajchi · ‎07-15-2016

The maximum limit for "external lookup" is also 1000 for maximum matches. Please let me know if someone has done this before or if someone can confirm it is not possible at all.

woodcock · ‎07-15-2016

First, create a lookup definition (from Settings -> Lookups -> Lookup Definitions) for you lookup file, then give it same sharing permissions as the lookup file, then in the Advanced options set the value to 2000.

rajchi · ‎07-15-2016

Thanks for your reply, but it is not working. You can't increase the value of maximum matches above 1000 from UI lookup definition. It gives error from UI if you will try to increase it above 1000, I did try from limits.conf as well but it is not working.

can we increase lookup table maximum matches to 2000?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes