Is there a limit on the number of results that can be included in an email alert?

Path Finder

Hello, The events in the csv file sent by alert action email is limited to 1000. Is this correct? How can I increase the limit?


Tags (3)

Path Finder

Hi. I just upgraded from 4.0.11 had the same problem. After reading this thread and looking at the command in the email stanza in alerts_actions.conf, I found the problem, which corresponds with what vbumgarner posted. Specifically, in the old alert_actions.conf from 4.0.11, the command contained:


It should be:


Otherwise, maxresults=foo is meaningless, eh?

0 Karma


We have been told by support to add:


To the alert_inputs.conf file, however this does not make it work.

Anyone else get this to work? At this point I have been told this won't be fixed until the next version (we are currently running 4.1.5) but need it to work NOW. If I run this query at the command line and pipe the output to a file will it give me the same limitation?

0 Karma


This is caused by a typo in the default alert_actions.conf, and will be fixed in the next release. For an immediate fix, add this to etc/system/local/alert_actions.conf:

command =  ${default=""}$ | sendemail "to=$$" "server=${default=localhost}$" "from=${default=splunk@localhost}$" "subject=${recurse=yes}$" "format=${default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=${default=False}$" "sendresults=${default=False}$" "sendpdf=${default=False}$" "pdfview=$$" "searchid=$search_id$" "graceful=$graceful{default=True}$" maxinputs="${default=1000}$" maxtime="${default=5m}$"


There has been a few releases since September 2010 now, and this is still not fixed as far as I can tell...

But thanks for the solution.

0 Karma


I modified to set the problem has not been changed

0 Karma

Splunk Employee
Splunk Employee

There is a setting that dictates the maximum number of results that will be sent with any alert. This is the maxresults parameter that resides in the alert_actions.conf file. By default this is set to 100. For reference, you could set it to 2000 by adding this line to a $SPLUNK_HOME/etc/system/local/alert_actions.conf file:


State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!