
Troubleshoot lookups in Splunk Enterprise Security
Troubleshoot Splunk issues regarding lookups and available memory.
Lookups not respecting ASCII name order
Splunk Enterprise does not honor lexicographical order of automatic search-time lookups when some of the lookups in a set are configured to execute in-memory versus when some of the lookups in the set are configured to be indexed.
For instance, if you have max_memtable_bytes
set to 50MB, assets_by_cidr
lookup set to 25MB, and assets_by_str
lookup set to 75MB. This would cause assets_by_str
to be indexed and assets_by_cidr
to run in memory, resulting in assets_by_cidr
inadvertently executing prior to assets_by_str
.
Increase the max_memtable_bytes
of the lookup
stanza in the $SPLUNK_HOME/etc/system/default/limits.conf
file. See limits.conf in the Splunk Enterprise Admin Manual.
Lookup tables exceeding the maximum length
Lookup table files that exceed the HTTP httpServer:max_content_length
in server.conf
will not be replicated across search head cluster members.
Increase the max_content_length
of the http_input
stanza in the $SPLUNK_HOME/etc/system/default/server.conf
file. See server.conf in the Splunk Enterprise Admin Manual.
Lookup files growing in excess of 1GB
Lookup table files involved in special search matches, such as CIDR or Wildcard, are required to run in memory. This can lead to running out of memory when using these features.
Increase the max_memtable_bytes
of the lookup
stanza in the $SPLUNK_HOME/etc/system/default/limits.conf
file. See limits.conf in the Splunk Enterprise Admin Manual.
PREVIOUS Troubleshoot dashboards in Splunk Enterprise Security |
NEXT Troubleshoot missing notable events in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1
Feedback submitted, thanks!