Dear All, I encounter a question on setting up a blacklist ip use case. I create a blacklist.csv which stored over 500,000 record and the format is like BlacklistIP x.x.x.x abc.com y.y.y.y bcd.com I use the following search index=test dst_ip=* OR src_ip=* [ | inputlookup blacklist.csv | fields BlacklistIP | rename BlacklistIP as query] however, I discovered that splunk is limited the subsearch to 10000 result. If the 1.1.1.1 is in col 1000 and the src_ip/dst_ip is 1.1.1.1, it appears in the search result. If the 3.3.3.3 is in col 30000, even the src_ip/dst_ip is 3.3.3.3, it is not appear in the search result. If the 4.4.4.4 is in col 50000, even the src_ip/dst_ip is 4.4.4.4, it is not appear in the search result. After i change the subsearch limit in the limit.conf, maxout = 1,000,000 maxtime = 240 ttl = 600 The result contain 3.3.3.3 but 4.4.4.4 is still not appear. Also, the search is taking a long time, may be around 5 to 6 mins. here is the hardware spec. Splunk Enterprise Server 8.0.4 Linux, 7.64 GB Physical Memory, 8 CPU Cores Mode: Standalone Is there any suggestion for me? Thank you for help!
... View more