Alerting

Configure Splunk to Create an Email Alert that sends out PDF File with up to 5,000 records

New Member

I created a Splunk Alert that sends out a PDF attachment file. However, the number of records included in the PDF I am retrieving is only limited to 1000. How do I configure my alert to retrieve the entire result? I read that this can be configured thru limits.conf, savedsearches.conf, and alert_actions.conf but I could not find these files from the directory. Is there a step-by-step guide on how to find and configure these conf files?

0 Karma

Champion

Hi johnpatrick27,

This might help you:

savedsearches.conf
action.email.maxresults = <integer>
- Set the maximum number of results to be emailed.

  • Any alert-level results threshold greater than this number will be capped at this level.
  • This value affects all methods of result inclusion by email alert: inline, CSV and PDF.
  • Note that this setting is affected globally by "maxresults" in the [email] stanza of alert_actions.conf.
  • Defaults to 10000

SplunkTrust
SplunkTrust

Hi johnpatrick27
Beware to the dimensions of your file, check if is in or exceed your eMail limits, this is the reason for the limit in pdf limit.
Bye.
Giuseppe

0 Karma

New Member

Thanks for your response, Giuseppe. Do you know where I can find this limit setting? I am pretty new to Splunk and have very minimal knowledge to Configuration files.

I re-configured my email alert to attach both CSV and PDF. The CSV file includes the entire result (file size: 203KB) while the PDF includes incomplete result, only 1000 records (file size: 80KB). Now I am getting confuse why the CSV file can include the entire result while the PDF cannot. Should this setting in email limit be the same for both file types?

0 Karma

SplunkTrust
SplunkTrust

Hi johnpatrick27,
I'm not speaking about a Splunk limit, but about an eMail limit: usually company email systems have a limit to 5 or 10 MB for attachment, so if Splunk alert attachment exceed this limit enail is blocked.
Check downloading your pdf in a report and see its dimensions, maybe this isn't your problem but with this check you can exclude a problem that I usually find.
Bye.
Giuseppe

0 Karma

New Member

I see your point. I don't think this email limit is applicable to my case. Like I said, I'm able to retrieve complete result set through CSV attachment with file size of 203KB. So based from this, I don't think this is the reason why I couldn't get the complete results via PDF. Thank you though for sharing your insight.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!