Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How many lookup tables can I use in one splunk query?

logloganathan
Motivator
‎03-20-2018 08:57 AM

Can anyone please tell how may lookup table can I use in one particular Splunk query?

Are there any restrictions?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎03-20-2018 09:15 AM

I have not run into any restrictions. Are you asking about lookup tables that you'll use as lookups (using the lookup search command) or lookup tables that you'll use as search filters (using the inputlookup search command)? The first is likely to slow things down if you are running a lot of chained lookups, and the latter is possible to grow your search results to an unmanageable size, depending on the size of the lookup file.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-20-2018 11:42 AM

@logloganathan, how many lookup files are you planning to have? Rather than search limitation you should consider from Admin point of view as to how many lookup tables can you maintain for a single app.

What is the kind of data that your lookup tables can have and reason for several lookups to be used in single search? Can you index the lookup files and use index, source, sourcetype for correlation?

You should also consider creating KV Store for better maintenance of such kind of data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

jluo_splunk
Splunk Employee
Splunk Employee
‎03-20-2018 09:37 AM

I don't believe there is a limit - however, using many large lookups can impact your performance.

Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎03-20-2018 09:15 AM

I have not run into any restrictions. Are you asking about lookup tables that you'll use as lookups (using the lookup search command) or lookup tables that you'll use as search filters (using the inputlookup search command)? The first is likely to slow things down if you are running a lot of chained lookups, and the latter is possible to grow your search results to an unmanageable size, depending on the size of the lookup file.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...