I created a Splunk Alert that sends out a PDF attachment file. However, the number of records included in the PDF I am retrieving is only limited to 1000. How do I configure my alert to retrieve the entire result? I read that this can be configured thru limits.conf, savedsearches.conf, and alert_actions.conf but I could not find these files from the directory. Is there a step-by-step guide on how to find and configure these conf files?
Hi johnpatrick27,
This might help you:
savedsearches.conf
action.email.maxresults
= <integer>
- Set the maximum number of results to be emailed.
Hi johnpatrick27
Beware to the dimensions of your file, check if is in or exceed your eMail limits, this is the reason for the limit in pdf limit.
Bye.
Giuseppe
Thanks for your response, Giuseppe. Do you know where I can find this limit setting? I am pretty new to Splunk and have very minimal knowledge to Configuration files.
I re-configured my email alert to attach both CSV and PDF. The CSV file includes the entire result (file size: 203KB) while the PDF includes incomplete result, only 1000 records (file size: 80KB). Now I am getting confuse why the CSV file can include the entire result while the PDF cannot. Should this setting in email limit be the same for both file types?
Hi johnpatrick27,
I'm not speaking about a Splunk limit, but about an eMail limit: usually company email systems have a limit to 5 or 10 MB for attachment, so if Splunk alert attachment exceed this limit enail is blocked.
Check downloading your pdf in a report and see its dimensions, maybe this isn't your problem but with this check you can exclude a problem that I usually find.
Bye.
Giuseppe
I see your point. I don't think this email limit is applicable to my case. Like I said, I'm able to retrieve complete result set through CSV attachment with file size of 203KB. So based from this, I don't think this is the reason why I couldn't get the complete results via PDF. Thank you though for sharing your insight.