Splunk Search

How many lookup tables can I use in one splunk query?

logloganathan
Motivator

Can anyone please tell how may lookup table can I use in one particular Splunk query?

Are there any restrictions?

Tags (3)
0 Karma
1 Solution

elliotproebstel
Champion

I have not run into any restrictions. Are you asking about lookup tables that you'll use as lookups (using the lookup search command) or lookup tables that you'll use as search filters (using the inputlookup search command)? The first is likely to slow things down if you are running a lot of chained lookups, and the latter is possible to grow your search results to an unmanageable size, depending on the size of the lookup file.

View solution in original post

0 Karma

niketn
Legend

@logloganathan, how many lookup files are you planning to have? Rather than search limitation you should consider from Admin point of view as to how many lookup tables can you maintain for a single app.

What is the kind of data that your lookup tables can have and reason for several lookups to be used in single search? Can you index the lookup files and use index, source, sourcetype for correlation?

You should also consider creating KV Store for better maintenance of such kind of data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jluo_splunk
Splunk Employee
Splunk Employee

I don't believe there is a limit - however, using many large lookups can impact your performance.

elliotproebstel
Champion

I have not run into any restrictions. Are you asking about lookup tables that you'll use as lookups (using the lookup search command) or lookup tables that you'll use as search filters (using the inputlookup search command)? The first is likely to slow things down if you are running a lot of chained lookups, and the latter is possible to grow your search results to an unmanageable size, depending on the size of the lookup file.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...