Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Efficient filtering with high number of values from a lookup table

Simon
Contributor
‎08-16-2013 12:25 AM

Hi all,

I've got 16k and growing values in a CSV. I'd like to search for events matching those values, like

tag::eventtype="authentication" [| inputlookup cmdb_former_employees | fields user | return 999999 user ]

But it seems that this is pretty much inefficient and results in a very slow search.
Is there a better way to find events matching a large set of values form a lookup?

Thanks,
Simon

Tags (3)
0 Karma
Reply

starcher
Influencer
‎08-16-2013 04:00 AM

I'd try making that an auto lookup for the relevant sourcetypes.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...