topic Re: Why does my search return results as expected, but saving the same search as an alert does not return all data fields? in Alerting

Why does my search return results as expected, but saving the same search as an alert does not return all data fields?

susenstoob — Thu, 08 Dec 2016 02:24:18 GMT

So when I perform a search using criteria that I want, it works. If I export those results to a CSV, I am given ALL of the data fields (which is what I want). However when I then save this search as an alert, then that alert is triggered, I have it email a CSV of the results. However that CSV is missing 75% of the data fields. The results are exactly the same as the search, just missing many columns of data that I need.

Re: Why does my search return results as expected, but saving the same search as an alert does not return all data fields?

nisu — Thu, 08 Dec 2016 11:32:26 GMT

You can try by updating your query as follows:

Provide fieldname= * at starting of your query which you are using as chart or stats at the end. I think saved search is by default running in fast mode.

If the above is not working then try the following property in savedsearches.conf

action.email.maxresults = <integer>
 * Set the maximum number of results to be emailed.
 * Any alert-level results threshold greater than this number will be capped at
   this level.
 * This value affects all methods of result inclusion by email alert: inline,
   CSV and PDF.
 * Note that this setting is affected globally by "maxresults" in the [email]
   stanza of alert_actions.conf.
 * Defaults to 10000

Re: Why does my search return results as expected, but saving the same search as an alert does not return all data fields?

susenstoob — Thu, 08 Dec 2016 16:44:01 GMT

Thanks Nisu, tried your first suggestion, but then the search returns 0 results. Also, just FYI, I have tried both fast mode and verbose mode. The search works the same in both fashions, and then the emailed report again is still missing many fields.

Tried your 2nd suggestion, again no change. Though I believe that is only to change the amount of results, my search and report is no where close to 10k.

Any other ideas?

Re: Why does my search return results as expected, but saving the same search as an alert does not return all data field

amgibby — Wed, 18 Jan 2023 22:16:45 GMT

Saved searches have a different behavior than ad hoc searches in that they only return requested fields. You need to explicitly state what fields you want returned with the fields command. Alternatively, you can use the command to return all fields:

<your search string> | fields *