Alerting
Highlighted

Is there a limit on the number of results that can be included in an email alert?

Path Finder

Hello, The events in the csv file sent by alert action email is limited to 1000. Is this correct? How can I increase the limit?

thanks.

Tags (3)
Highlighted

Re: Is there a limit on the number of results that can be included in an email alert?

Splunk Employee
Splunk Employee

There is a setting that dictates the maximum number of results that will be sent with any alert. This is the maxresults parameter that resides in the alert_actions.conf file. By default this is set to 100. For reference, you could set it to 2000 by adding this line to a $SPLUNK_HOME/etc/system/local/alert_actions.conf file:

maxresults=2000

http://www.splunk.com/base/Documentation/latest/Admin/Alertactionsconf

Highlighted

Re: Is there a limit on the number of results that can be included in an email alert?

Explorer

I modified to set the problem has not been changed

0 Karma
Highlighted

Re: Is there a limit on the number of results that can be included in an email alert?

Contributor

This is caused by a typo in the default alert_actions.conf, and will be fixed in the next release. For an immediate fix, add this to etc/system/local/alert_actions.conf:

[email]
command =  $action.email.preprocess_results{default=""}$ | sendemail "to=$action.email.to$" "server=$action.email.mailserver{default=localhost}$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$" "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$" "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$" maxinputs="$action.email.maxresults{default=1000}$" maxtime="$action.email.maxtime{default=5m}$"
Highlighted

Re: Is there a limit on the number of results that can be included in an email alert?

Builder

There has been a few releases since September 2010 now, and this is still not fixed as far as I can tell...

But thanks for the solution.

0 Karma
Highlighted

Re: Is there a limit on the number of results that can be included in an email alert?

Explorer

We have been told by support to add:

maxinputs="$action.email.maxresults{default=10000}$"

To the alert_inputs.conf file, however this does not make it work.

Anyone else get this to work? At this point I have been told this won't be fixed until the next version (we are currently running 4.1.5) but need it to work NOW. If I run this query at the command line and pipe the output to a file will it give me the same limitation?

0 Karma
Highlighted

Re: Is there a limit on the number of results that can be included in an email alert?

Path Finder

Hi. I just upgraded from 4.0.11 had the same problem. After reading this thread and looking at the command in the email stanza in alerts_actions.conf, I found the problem, which corresponds with what vbumgarner posted. Specifically, in the old alert_actions.conf from 4.0.11, the command contained:

maxinputs="$maxinputs{default=100}$"

It should be:

maxinputs="$action.email.maxresults{default=1000}$"

Otherwise, maxresults=foo is meaningless, eh?

0 Karma