I need to create an alert to send 250,000+ records in the CSV attachment.
Initially it allowed me to send only 10K results. Have added new stanzas in savedsearches.conf, alert_actions.conf and limits.conf. Below are the respective stanzas.
alert_actions.conf
[email]
command = $action.email.preprocess_results{default=""}$ | sendemail "to=$action.email.to$" "server=$action.email.mailserver{default=localhost}$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$" "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$" "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$" maxinputs="$action.email.maxinputs{default=500000}$" maxtime="$action.email.maxtime{default=5m}$"
savedsearches.conf
action.email.maxresults =500000
dispatch.max_count =500000
limits.conf
[scheduler]
max_action_results = 500000
Currently able to send only 50K records.
Is there any stanza I need to add in any Config file to achieve this?
Thanks in advance.
After playing around with this I was able to get over the 10k or 50k results. This required all 3 settings on the search head.
$SPLUNK_HOME/etc/system/local/limits.conf
[scheduler]
max_action_results = 175000
[searchresults]
maxresultrows = 175000
$SPLUNK_HOME/etc/system/local/alert_actions.conf
[default]
maxresults = 175000
this enables an email alert containg a .csv to have 175k rows
Note: When I pushed the same configs from deployer and they ended up in an app/default as it should, but my .csv was limited to 10k rows.. when i put it straight on $SPLUNK_HOME/etc/system/local via cli on each member I got 175k rows in the csv