Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure Splunk to create an email alert that sends out a CSV file that includes 250,000 records?

angajalaprabhu
New Member
‎09-26-2016 04:16 PM

I need to create an alert to send 250,000+ records in the CSV attachment.
Initially it allowed me to send only 10K results. Have added new stanzas in savedsearches.conf, alert_actions.conf and limits.conf. Below are the respective stanzas.

alert_actions.conf

[email]
command = $action.email.preprocess_results{default=""}$ | sendemail "to=$action.email.to$" "server=$action.email.mailserver{default=localhost}$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$" "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$" "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$" maxinputs="$action.email.maxinputs{default=500000}$" maxtime="$action.email.maxtime{default=5m}$"

savedsearches.conf

action.email.maxresults =500000

dispatch.max_count =500000

limits.conf

[scheduler]
max_action_results = 500000

Currently able to send only 50K records.

Is there any stanza I need to add in any Config file to achieve this?

Thanks in advance.

0 Karma
Reply

rphillips_splk
Splunk Employee
Splunk Employee
‎05-30-2017 11:26 AM

After playing around with this I was able to get over the 10k or 50k results. This required all 3 settings on the search head.

$SPLUNK_HOME/etc/system/local/limits.conf
[scheduler]
max_action_results = 175000

[searchresults]
maxresultrows = 175000

$SPLUNK_HOME/etc/system/local/alert_actions.conf

[default]
maxresults = 175000

this enables an email alert containg a .csv to have 175k rows

Note: When I pushed the same configs from deployer and they ended up in an app/default as it should, but my .csv was limited to 10k rows.. when i put it straight on $SPLUNK_HOME/etc/system/local via cli on each member I got 175k rows in the csv

0 Karma
Reply
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...