Alerting

Why my Splunk alert only include 1000 results in attached csv?

mekamundia
Explorer

Hi to all,
I am a real newbie in Splunk. Sorry for my simple question, but I really need help.
I have set an automated alert on Splunk that collects over 8000 results when triggered. I tried dispatch those results by email in a .csv document, but Splunk only attach first 1000 results to the file. Vice versa when I relaunched the search manually, it made easily a complete csv document.
How I can extend the number of results in mail attachment ?
I also read the topic Splunk Alert only includes first 1000 results of search. Why? but it seems to me does not gave a solution to this problem: (there seems to be some hard-coded voodoo going on behind the scenes. And for whatever reason, that voodoo wants to keep your from sending more than 1,000 events in your email)
thanks in advance for every tip

jaxjohnny2000
Builder

Using the Web GUI, modify just this one report you want to change. Try to go into Edit - Advanced Edit. The scroll down to action.email.maxresults . The default value is there for 10000. Add another zero (0) so it reads 100000.

alt text

yannK
Splunk Employee
Splunk Employee

the limits are in 2 places :

  • in alert_actions maxresults=10000
  • in alert_actions in the command calling the email script.

you can redefine this in our local/alert_actions.conf

Here is a way to bump the limit to 50000 for the email alerts only. (on 6.2.0, please adapt the command to your version)

[email]
command     = $action.email.preprocess_results{default=""}$ | sendemail "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=50000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$"

maxresults=50000
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi mekamundia,

you can apply some anti-voodoo globally in alert_actions.conf by setting

[default]
maxinputs = <YourNewMaxResultNumber>

or per saved search/ alert in savedsearch.conf like this:

action.email.maxinputs = <YourNewMaxResultNumber>

Hope this helps to fight the Voodoo 😉

cheers, MuS

mekamundia
Explorer

Nothing to do.... again.
Sorry somesoni2 but also your solution does not work.
I wait for new tips from everybody.

0 Karma

mekamundia
Explorer

I have tested the modify...
nothing new happened. The vodoo remains... 😞

0 Karma

somesoni2
Revered Legend

Try maxresults attribute in alert_actions.conf and action.email.maxresults in savedsearches.conf for your search

0 Karma

mekamundia
Explorer

Ok, I'll try again modifying [default] stanza.
The search runs at night: tomorrow i'llsee the results.

Thanks for your support !

0 Karma

mekamundia
Explorer

Hi MuS

Yesterday I have applied the modify to alert_actions. conf and restarted the search head (where the search is saved and runs).
But the wodoo remains :(...

What i missed?
I need some more tips !

cheers,
Mekamundia

0 Karma

MuS
SplunkTrust
SplunkTrust

uuppsss, looks like the maxinputs belongs to the [default] stanza and not the [email] in alert_actions.conf - sorry my bad

0 Karma

MuS
SplunkTrust
SplunkTrust

Did you try the action.email.maxinputs in savedsearch.conf as well?

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...