Alerting

Unable to send an alert notification , resultscount > 60000

vn_g
Path Finder

 

-- index=_internal sourcetype=scheduler alert_actions=email status=success savedsearch_name="Okta_ResearchCenter_login_data_*"
Above query states splunk alert action is success.

-- index=_internal source=*python.log

2020-11-17 12:45:38,888 +0530 ERROR sendemail:475 - (552, '5.3.4 Message is too long.') while sending mail to: abc@xyz.com
2020-11-17 12:45:38,887 +0530 ERROR sendemail:142 - Sending email. subject="Splunk Report: Okta_ResearchCenter_login_data_SeptemberReport", results_link="https://abc-sh111.com/app/search/@go?sid=scheduler_dbmFnYXNyabkBiY2cuY29t__search__RMD54e9f54654ca73...", recipients="[u'abc@xyz.com']", server="email-smtp.us-east-111.aws.com:587"

-- settings in action.action_history.maxresults and action.email.maxresults are changed to 1000000

-- O/p of the query is 63,074 lines

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @vn_g,

all email systems have limits in message and/or attachment dimensions.

So you have to know what's the limit of your system and then you can do two things:

  • configure your  reports to limit the number of results (if acceptable),
  • send to your customer a messagge with the link to the report.

Ciao.

Giuseppe

View solution in original post

vn_g
Path Finder

My email systems were limiting attachments size to 10 MB.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vn_g,

all email systems have limits in message and/or attachment dimensions.

So you have to know what's the limit of your system and then you can do two things:

  • configure your  reports to limit the number of results (if acceptable),
  • send to your customer a messagge with the link to the report.

Ciao.

Giuseppe

vn_g
Path Finder

Verified internally , our email systems allow up to 20 MB size attachments. When I try to manually download the result , it is approximately 12MB ,  but still it is failing when scheduled for alert notification.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vn_g,

the error message is clear: your message is too big!

try again with a smaller message (less than 10 MB) e.g. limiting the results to 40,000.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...