Solved: Re: How to send alert search results as an email C...

nawneel · ‎08-03-2015

Hi

I would like to send more than hundred thousand (100,000) events as a CSV attachment to email. When I fire this search with this requirement, I get a message in email as Only the first 10000 of 123968 results are included in the attached csv. I have tried changing the configuration file at $Splunk_Home\etc\system\local\alert_action.conf with [default] maxresults=10000 to maxresults=100000, but all in vain.

People to whom I will send this report are not supposed to access the Splunk Server, so am email attachment is only option for now.

Thanks in advance

somesoni2 · ‎08-03-2015

You can increase the limit by updating following attribute in alert_actions.conf file

[email]
maxresults = 100000

View solution in original post

rphillips_splk · ‎05-30-2017

After playing around with this I was able to get over the 10k or 50k results. This required all 3 settings on the search head.

$SPLUNK_HOME/etc/system/local/limits.conf
[scheduler]
max_action_results = 175000

[searchresults]
maxresultrows = 175000

$SPLUNK_HOME/etc/system/local/alert_actions.conf

[default]
maxresults = 175000

this enables an email alert containg a .csv to have 175k rows

Note: When I pushed the same configs from deployer and they ended up in an app/default as it should, but my .csv was limited to 10k rows.. when i put it straight on $SPLUNK_HOME/etc/system/local via cli on each member I got 175k rows in the csv

somesoni2 · ‎08-03-2015

You can increase the limit by updating following attribute in alert_actions.conf file

[email]
maxresults = 100000

nawneel · ‎08-06-2015

[default]
maxresults=100000
[email]
command = $action.email.preprocess_results{default=""}$ | sendemail "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=100000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$"

i have provided following changes , now i am facing a limit of 50000 records in my csv attachment

angajalaprabhu · ‎09-26-2016

I'm facing the same issue. Did any one overcome the limit of 50k.
I need to create an alert to send 250,000 records in the CSV attachment.

hkgserverteam · ‎01-05-2016

Hi , Did you get around the 50,000 record limit?

nawneel · ‎03-01-2016

@hkgserverteam i am still facing this issue. did u resolve this 50000 record limit?

nawneel · ‎04-11-2016

@hkgserverteam are you still facing issue. yeah i have made to 50000 record limits

somesoni2 · ‎08-03-2015

Did you restart/refresh after making this change? What version of Splunk you have?

nawneel · ‎08-03-2015

yes @somesoni2 i did make changes and restarted it , dint work

How to send alert search results as an email CSV attachment for more than 10,000 events?

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

How to send alert search results as an email CSV attachment for more than 10,000 events?

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0