Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

outputlookup is limited to 10,000 results

jambajuice
Communicator
‎01-12-2011 03:50 AM

I need to create an outputlookup file with more than 10,000 results. I've looked through the limits.conf examples and I can't find a way to increase the number of results beyond 10K.

Is this possible?

Craig

Tags (1)
Reply

rfiscus
Path Finder
‎02-09-2016 08:22 AM

Yup, sort was killing it for me. Thanks!

Reply

steveyz
Splunk Employee
Splunk Employee
‎01-12-2011 04:27 AM

What is the full search? outputlookup itself does not have any results limits, and a limit of 10k would mostly be due to a sort command you may be using. (sort implicitly truncates to the first 10k output rows unless you specify limit=0 as an argument to it)

Reply

rdownie
Communicator
‎09-03-2014 04:22 AM

sort limit=0 worked for me.
Thanks.

0 Karma
Reply

steveyz
Splunk Employee
Splunk Employee
‎01-13-2011 05:06 AM

try using fields instead of table

0 Karma
Reply

jambajuice
Communicator
‎01-12-2011 06:08 AM

The search is:

sourcetype="nessus_plugins" | table nessus_id,cve_id,osvdb_id | outputlookup osvdb_cvs_lookup.csv

If I remove the outputlookup part of the search, it still maxes out at 100000 events.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...