Alerting
Highlighted

How to configure Splunk to create an email alert that sends out a CSV file that includes 250,000 records?

New Member

I need to create an alert to send 250,000+ records in the CSV attachment.
Initially it allowed me to send only 10K results. Have added new stanzas in savedsearches.conf, alert_actions.conf and limits.conf. Below are the respective stanzas.

alert_actions.conf

[email]
command = $action.email.preprocess_results{default=""}$ | sendemail "to=$action.email.to$" "server=$action.email.mailserver{default=localhost}$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$" "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$" "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$" maxinputs="$action.email.maxinputs{default=500000}$" maxtime="$action.email.maxtime{default=5m}$"

savedsearches.conf

action.email.maxresults =500000

dispatch.max_count =500000

limits.conf

[scheduler]
max_action_results = 500000

Currently able to send only 50K records.

Is there any stanza I need to add in any Config file to achieve this?

Thanks in advance.

0 Karma
Highlighted

Re: How to configure Splunk to create an email alert that sends out a CSV file that includes 250,000 records?

Splunk Employee
Splunk Employee

After playing around with this I was able to get over the 10k or 50k results. This required all 3 settings on the search head.

$SPLUNKHOME/etc/system/local/limits.conf
[scheduler]
max
action_results = 175000

[searchresults]
maxresultrows = 175000

$SPLUNKHOME/etc/system/local/alertactions.conf

[default]
maxresults = 175000

this enables an email alert containg a .csv to have 175k rows

Note: When I pushed the same configs from deployer and they ended up in an app/default as it should, but my .csv was limited to 10k rows.. when i put it straight on $SPLUNK_HOME/etc/system/local via cli on each member I got 175k rows in the csv

0 Karma