How to configure Splunk to create an email alert that sends out a CSV file that includes 250,000 records?

New Member

I need to create an alert to send 250,000+ records in the CSV attachment.
Initially it allowed me to send only 10K results. Have added new stanzas in savedsearches.conf, alert_actions.conf and limits.conf. Below are the respective stanzas.


command = ${default=""}$ | sendemail "to=$$" "server=${default=localhost}$" "from=${default=splunk@localhost}$" "subject=${recurse=yes}$" "format=${default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=${default=False}$" "sendresults=${default=False}$" "sendpdf=${default=False}$" "pdfview=$$" "searchid=$search_id$" "graceful=$graceful{default=True}$" maxinputs="${default=500000}$" maxtime="${default=5m}$"

savedsearches.conf =500000

dispatch.max_count =500000


max_action_results = 500000

Currently able to send only 50K records.

Is there any stanza I need to add in any Config file to achieve this?

Thanks in advance.

0 Karma

Splunk Employee
Splunk Employee

After playing around with this I was able to get over the 10k or 50k results. This required all 3 settings on the search head.

max_action_results = 175000

maxresultrows = 175000


maxresults = 175000

this enables an email alert containg a .csv to have 175k rows

Note: When I pushed the same configs from deployer and they ended up in an app/default as it should, but my .csv was limited to 10k rows.. when i put it straight on $SPLUNK_HOME/etc/system/local via cli on each member I got 175k rows in the csv

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...