Alerting

Unable to send an alert notification , resultscount > 60000

vn_g
Path Finder

 

-- index=_internal sourcetype=scheduler alert_actions=email status=success savedsearch_name="Okta_ResearchCenter_login_data_*"
Above query states splunk alert action is success.

-- index=_internal source=*python.log

2020-11-17 12:45:38,888 +0530 ERROR sendemail:475 - (552, '5.3.4 Message is too long.') while sending mail to: abc@xyz.com
2020-11-17 12:45:38,887 +0530 ERROR sendemail:142 - Sending email. subject="Splunk Report: Okta_ResearchCenter_login_data_SeptemberReport", results_link="https://abc-sh111.com/app/search/@go?sid=scheduler_dbmFnYXNyabkBiY2cuY29t__search__RMD54e9f54654ca73...", recipients="[u'abc@xyz.com']", server="email-smtp.us-east-111.aws.com:587"

-- settings in action.action_history.maxresults and action.email.maxresults are changed to 1000000

-- O/p of the query is 63,074 lines

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @vn_g,

all email systems have limits in message and/or attachment dimensions.

So you have to know what's the limit of your system and then you can do two things:

  • configure your  reports to limit the number of results (if acceptable),
  • send to your customer a messagge with the link to the report.

Ciao.

Giuseppe

View solution in original post

vn_g
Path Finder

My email systems were limiting attachments size to 10 MB.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vn_g,

all email systems have limits in message and/or attachment dimensions.

So you have to know what's the limit of your system and then you can do two things:

  • configure your  reports to limit the number of results (if acceptable),
  • send to your customer a messagge with the link to the report.

Ciao.

Giuseppe

vn_g
Path Finder

Verified internally , our email systems allow up to 20 MB size attachments. When I try to manually download the result , it is approximately 12MB ,  but still it is failing when scheduled for alert notification.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vn_g,

the error message is clear: your message is too big!

try again with a smaller message (less than 10 MB) e.g. limiting the results to 40,000.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...