How to configure Splunk to create an email alert that sends out a CSV file that includes 250,000 records?

New Member

I need to create an alert to send 250,000+ records in the CSV attachment.
Initially it allowed me to send only 10K results. Have added new stanzas in savedsearches.conf, alert_actions.conf and limits.conf. Below are the respective stanzas.


command = ${default=""}$ | sendemail "to=$$" "server=${default=localhost}$" "from=${default=splunk@localhost}$" "subject=${recurse=yes}$" "format=${default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=${default=False}$" "sendresults=${default=False}$" "sendpdf=${default=False}$" "pdfview=$$" "searchid=$search_id$" "graceful=$graceful{default=True}$" maxinputs="${default=500000}$" maxtime="${default=5m}$"

savedsearches.conf =500000

dispatch.max_count =500000


max_action_results = 500000

Currently able to send only 50K records.

Is there any stanza I need to add in any Config file to achieve this?

Thanks in advance.

0 Karma

Splunk Employee
Splunk Employee

After playing around with this I was able to get over the 10k or 50k results. This required all 3 settings on the search head.

max_action_results = 175000

maxresultrows = 175000


maxresults = 175000

this enables an email alert containg a .csv to have 175k rows

Note: When I pushed the same configs from deployer and they ended up in an app/default as it should, but my .csv was limited to 10k rows.. when i put it straight on $SPLUNK_HOME/etc/system/local via cli on each member I got 175k rows in the csv

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...