topic Re: How to send alert search results as an email CSV attachment for more than 10,000 events? in Alerting

How to send alert search results as an email CSV attachment for more than 10,000 events?

nawneel — Mon, 03 Aug 2015 10:26:40 GMT

I would like to send more than hundred thousand (100,000) events as a CSV attachment to email. When I fire this search with this requirement, I get a message in email as Only the first 10000 of 123968 results are included in the attached csv. I have tried changing the configuration file at $Splunk_Home\etc\system\local\alert_action.conf with [default] maxresults=10000 to maxresults=100000, but all in vain.

People to whom I will send this report are not supposed to access the Splunk Server, so am email attachment is only option for now.

Thanks in advance

Re: How to send alert search results as an email CSV attachment for more than 10,000 events?

somesoni2 — Mon, 03 Aug 2015 20:14:38 GMT

Did you restart/refresh after making this change? What version of Splunk you have?

Re: How to send alert search results as an email CSV attachment for more than 10,000 events?

somesoni2 — Mon, 03 Aug 2015 20:16:38 GMT

You can increase the limit by updating following attribute in alert_actions.conf file

[email]
maxresults = 100000

Re: How to send alert search results as an email CSV attachment for more than 10,000 events?

nawneel — Tue, 04 Aug 2015 04:39:30 GMT

yes @somesoni2 i did make changes and restarted it , dint work

Re: How to send alert search results as an email CSV attachment for more than 10,000 events?

nawneel — Tue, 29 Sep 2020 06:55:35 GMT

[default]
maxresults=100000
[email]
command = $action.email.preprocess_results{default=""}$ | sendemail "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=100000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$"

i have provided following changes , now i am facing a limit of 50000 records in my csv attachment

Re: How to send alert search results as an email CSV attachment for more than 10,000 events?

hkgserverteam — Tue, 05 Jan 2016 09:18:28 GMT

Hi , Did you get around the 50,000 record limit?

Re: How to send alert search results as an email CSV attachment for more than 10,000 events?

nawneel — Tue, 01 Mar 2016 12:25:28 GMT

@hkgserverteam i am still facing this issue. did u resolve this 50000 record limit?

Re: How to send alert search results as an email CSV attachment for more than 10,000 events?

nawneel — Mon, 11 Apr 2016 11:54:08 GMT

@hkgserverteam are you still facing issue. yeah i have made to 50000 record limits

Re: How to send alert search results as an email CSV attachment for more than 10,000 events?

angajalaprabhu — Mon, 26 Sep 2016 23:06:05 GMT

I'm facing the same issue. Did any one overcome the limit of 50k.
I need to create an alert to send 250,000 records in the CSV attachment.

Re: How to send alert search results as an email CSV attachment for more than 10,000 events?

rphillips_splk — Tue, 29 Sep 2020 14:16:45 GMT

After playing around with this I was able to get over the 10k or 50k results. This required all 3 settings on the search head.

$SPLUNK_HOME/etc/system/local/limits.conf
[scheduler]
max_action_results = 175000

[searchresults]
maxresultrows = 175000

$SPLUNK_HOME/etc/system/local/alert_actions.conf

[default]
maxresults = 175000

this enables an email alert containg a .csv to have 175k rows

Note: When I pushed the same configs from deployer and they ended up in an app/default as it should, but my .csv was limited to 10k rows.. when i put it straight on $SPLUNK_HOME/etc/system/local via cli on each member I got 175k rows in the csv