Re: Why my Splunk alert only include 1000 results ...

mekamundia · ‎10-30-2014

Hi to all,
I am a real newbie in Splunk. Sorry for my simple question, but I really need help.
I have set an automated alert on Splunk that collects over 8000 results when triggered. I tried dispatch those results by email in a .csv document, but Splunk only attach first 1000 results to the file. Vice versa when I relaunched the search manually, it made easily a complete csv document.
How I can extend the number of results in mail attachment ?
I also read the topic Splunk Alert only includes first 1000 results of search. Why? but it seems to me does not gave a solution to this problem: (there seems to be some hard-coded voodoo going on behind the scenes. And for whatever reason, that voodoo wants to keep your from sending more than 1,000 events in your email)
thanks in advance for every tip

jaxjohnny2000 · ‎07-18-2019

Using the Web GUI, modify just this one report you want to change. Try to go into Edit - Advanced Edit. The scroll down to action.email.maxresults . The default value is there for 10000. Add another zero (0) so it reads 100000.

yannK · ‎11-19-2014

the limits are in 2 places :

in alert_actions maxresults=10000
in alert_actions in the command calling the email script.

you can redefine this in our local/alert_actions.conf

Here is a way to bump the limit to 50000 for the email alerts only. (on 6.2.0, please adapt the command to your version)

[email]
command     = $action.email.preprocess_results{default=""}$ | sendemail "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=50000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$"

maxresults=50000

MuS · ‎10-30-2014

Hi mekamundia,

you can apply some anti-voodoo globally in alert_actions.conf by setting

[default]
maxinputs = <YourNewMaxResultNumber>

or per saved search/ alert in savedsearch.conf like this:

action.email.maxinputs = <YourNewMaxResultNumber>

Hope this helps to fight the Voodoo 😉

cheers, MuS

mekamundia · ‎11-06-2014

Nothing to do.... again.
Sorry somesoni2 but also your solution does not work.
I wait for new tips from everybody.

mekamundia · ‎10-31-2014

I have tested the modify...
nothing new happened. The vodoo remains... 😞

somesoni2 · ‎10-31-2014

Try maxresults attribute in alert_actions.conf and action.email.maxresults in savedsearches.conf for your search

mekamundia · ‎10-31-2014

Ok, I'll try again modifying [default] stanza.
The search runs at night: tomorrow i'llsee the results.

Thanks for your support !

mekamundia · ‎10-31-2014

Hi MuS

Yesterday I have applied the modify to alert_actions. conf and restarted the search head (where the search is saved and runs).
But the wodoo remains :(...

What i missed?
I need some more tips !

cheers,
Mekamundia

MuS · ‎10-31-2014

uuppsss, looks like the maxinputs belongs to the [default] stanza and not the [email] in alert_actions.conf - sorry my bad

MuS · ‎10-31-2014

Did you try the action.email.maxinputs in savedsearch.conf as well?

Why my Splunk alert only include 1000 results in attached csv?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes