Solved: Re: Is there any result limit of CIDR() in lookup?

yutaka1005 · ‎03-03-2019

I want to add AS number to ip by using some geo data.
This data has column AS number and network like below.

AS_number,network
xxxxx,10.0.0.0/24

I uploaded this data as lookup, and configured lookup definitions with CIDR(network).
Then I tried some ip addresses like below, but it didn't work.

| makeresults count=2 
| streamstats count as c 
| eval network=if(c=1,"2001:4860:4860::8844","216.58.197.131")
| lookup Geo_AS_Lookup network OUTPUT

So I extracted only the lines with the following two networks matching the test addresses, and created a lookup table and lookup definition newly.

AS_number,network
xxxxx,2001:4860:4840::/42
yyyyy,216.58.192.0/19

Then it began to match well.
I wonder is there result limit of lookup?(* Because this lookup has about 440000 rows.)

If someone knows about it, please tell me.

additional info

Apparently the size is more concerned than the number of rows.

I made two pieces of data as below and found that the size of less than 10 MB matched well.

sample_geo.csv 27MB (500000 rows with 3 columns)
sample_geo_2.csv 8.95MB (500000 rows with 2 columns)

HiroshiSatoh · ‎03-03-2019

このリンクは見ましたか？max_memtable_bytesについての記述があります。

https://answers.splunk.com/answers/8228/lookup-table-limits.html

View solution in original post

HiroshiSatoh · ‎03-03-2019

このリンクは見ましたか？max_memtable_bytesについての記述があります。

https://answers.splunk.com/answers/8228/lookup-table-limits.html

yutaka1005 · ‎03-04-2019

limits.confに以下の設定をしたら、うまく動きました。

[lookup]
max_memtable_bytes = 20000000

仕様なんですかね…。

Is there any result limit of CIDR() in lookup?

additional info

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases