Splunk does not have a fixed 10MB maximum size limit for lookup files. The effective limits on lookup size are determined by configurations in the limits.conf file and the available system resources (RAM, CPU). For instance, the maxmemtablebytes setting for KV Store lookups defaults to 256MB, and the maxlookupsize for static CSV lookups defaults to 500MB in recent Splunk versions. These values can be adjusted by an administrator, demonstrating that there is no inherent 10MB hard limit. Therefore, the statement that lookups have a 10MB maximum size limit is false.

A. Lookups can be time based: This is a true statement. Splunk allows the configuration of time-based lookups, which match events against lookup table rows that are valid for the event's timestamp.

B. Search results can be used to populate a lookup table: This is a true statement. The outputlookup command is specifically designed to take the results of a search query and write them to a lookup file or KV Store collection.

C. Splunk DB Connect can be used to populate a lookup table from relational databases: This is a true statement. A primary function of the Splunk DB Connect app is to query relational databases and use the results to create and populate lookups within Splunk.

D. Output from a script can be used to populate a lookup table: This is a true statement. Splunk supports scripted lookups, where an external script is executed to provide lookup data dynamically, which is then used to enrich event data.

---

1. Splunk Enterprise Admin Manual

limits.conf specification:

Section: [lookup]

Content: This section details configurable limits for lookups. For example

maxlookupsize defaults to 500MB

and maxmemtablebytes for KV Store lookups defaults to 256000000 (256MB). This directly contradicts the claim of a 10MB limit.

Reference: Splunk Documentation

Admin Manual

limits.conf

[lookup] stanza.

2. Splunk Enterprise Knowledge Manager Manual

"About lookups":

Section: "Types of lookups" and "Configure a time-based lookup"

Content: This manual describes the different types of lookups

including scripted and time-based lookups

confirming options A and D are true features.

Reference: Splunk Documentation

Knowledge Manager Manual

"Configure a time-based lookup" and "Configure a scripted lookup".

3. Splunk Enterprise Search Reference

outputlookup command:

Section: "outputlookup"

Content: The documentation for the outputlookup command explicitly states its purpose: "Writes search results to a static lookup table... or a KV store collection." This confirms option B is a true statement.

Reference: Splunk Documentation

Search Reference

outputlookup.

4. Splunk DB Connect Manual

"Create and manage database lookups":

Section: "Create a new database lookup"

Content: The manual states

"Use DB Connect to import tables

views

and databases from your database and make them available as lookups in Splunk." This confirms option C is a true statement.

Reference: Splunk Documentation

Splunk DB Connect

"Create and manage database lookups".