Alerting

Unable to send an alert notification , resultscount > 60000

vn_g
Path Finder

 

-- index=_internal sourcetype=scheduler alert_actions=email status=success savedsearch_name="Okta_ResearchCenter_login_data_*"
Above query states splunk alert action is success.

-- index=_internal source=*python.log

2020-11-17 12:45:38,888 +0530 ERROR sendemail:475 - (552, '5.3.4 Message is too long.') while sending mail to: abc@xyz.com
2020-11-17 12:45:38,887 +0530 ERROR sendemail:142 - Sending email. subject="Splunk Report: Okta_ResearchCenter_login_data_SeptemberReport", results_link="https://abc-sh111.com/app/search/@go?sid=scheduler_dbmFnYXNyabkBiY2cuY29t__search__RMD54e9f54654ca73...", recipients="[u'abc@xyz.com']", server="email-smtp.us-east-111.aws.com:587"

-- settings in action.action_history.maxresults and action.email.maxresults are changed to 1000000

-- O/p of the query is 63,074 lines

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @vn_g,

all email systems have limits in message and/or attachment dimensions.

So you have to know what's the limit of your system and then you can do two things:

  • configure your  reports to limit the number of results (if acceptable),
  • send to your customer a messagge with the link to the report.

Ciao.

Giuseppe

View solution in original post

vn_g
Path Finder

My email systems were limiting attachments size to 10 MB.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vn_g,

all email systems have limits in message and/or attachment dimensions.

So you have to know what's the limit of your system and then you can do two things:

  • configure your  reports to limit the number of results (if acceptable),
  • send to your customer a messagge with the link to the report.

Ciao.

Giuseppe

vn_g
Path Finder

Verified internally , our email systems allow up to 20 MB size attachments. When I try to manually download the result , it is approximately 12MB ,  but still it is failing when scheduled for alert notification.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vn_g,

the error message is clear: your message is too big!

try again with a smaller message (less than 10 MB) e.g. limiting the results to 40,000.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...