Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Are there limits for lookups in regards to extracting fields from them?

briancronrath
Contributor
‎04-14-2020 01:13 PM

I have a lookup that recently stopped auto extracting fields. What I've noticed is that if I do a join, I can join if in the subsearch I specifically search for that row, but doing the normal lookup command gives me nothing. For example something like:

index=a sourcetype=a host=host1 | lookup host_lookup host as host output fieldA

Does not give me fieldA value for host1, however if I do:

index=a sourcetype=a host=host1 | join host [|inputlookup host_lookup | table host fieldA| search host=host1]

I get fieldA just fine in that case. So clearly it would appear to me some sort of limit is getting hit, even though I don't seem to be seeing any indication in the ui or Job inspection stating me that I am hitting a limit. Does anyone know if this is indeed a limit I'm hitting? Or is there anything else I can look into?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-14-2020 04:21 PM

Tell us more about the lookup file. How large is it?
What changed around the time the lookup stopped working?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...