Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why my Splunk alert only include 1000 results in attached csv?

mekamundia
Explorer
‎10-30-2014 03:21 AM

Hi to all,
I am a real newbie in Splunk. Sorry for my simple question, but I really need help.
I have set an automated alert on Splunk that collects over 8000 results when triggered. I tried dispatch those results by email in a .csv document, but Splunk only attach first 1000 results to the file. Vice versa when I relaunched the search manually, it made easily a complete csv document.
How I can extend the number of results in mail attachment ?
I also read the topic Splunk Alert only includes first 1000 results of search. Why? but it seems to me does not gave a solution to this problem: (there seems to be some hard-coded voodoo going on behind the scenes. And for whatever reason, that voodoo wants to keep your from sending more than 1,000 events in your email)
thanks in advance for every tip

Reply

andygerberkp
Explorer
‎04-30-2024 02:29 PM

This is an ancient thread, but bears updating.

As of 9.1.x, this is what I see:

Default is 10K lines.  You need to change it in alert_actions.conf.  Any change there will propagate to "Advanced Edit" for a saved search; there is no need to change the value there.

If the mail doesn't come through, look through splunkd logs for "Message size exceeds fixed limit" as many mailers reject attachments larger than a given size (10M is typical)

0 Karma
Reply

jaxjohnny2000
Builder
‎07-18-2019 07:13 AM

Using the Web GUI, modify just this one report you want to change. Try to go into Edit - Advanced Edit. The scroll down to action.email.maxresults . The default value is there for 10000. Add another zero (0) so it reads 100000.

alt text

Preview file
4 KB
Reply

yannK
Splunk Employee
Splunk Employee
‎11-19-2014 10:20 AM

the limits are in 2 places :

  • in alert_actions maxresults=10000
  • in alert_actions in the command calling the email script.

you can redefine this in our local/alert_actions.conf

Here is a way to bump the limit to 50000 for the email alerts only. (on 6.2.0, please adapt the command to your version)

[email]
command     = $action.email.preprocess_results{default=""}$ | sendemail "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=50000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$"

maxresults=50000
0 Karma
Reply

MuS
Legend
‎10-30-2014 03:30 AM

Hi mekamundia,

you can apply some anti-voodoo globally in alert_actions.conf by setting 

[default]
maxinputs = <YourNewMaxResultNumber>

or per saved search/ alert in savedsearch.conf like this:

action.email.maxinputs = <YourNewMaxResultNumber>

Hope this helps to fight the Voodoo 😉

cheers, MuS

Reply

mekamundia
Explorer
‎11-06-2014 02:38 AM

Nothing to do.... again.
Sorry somesoni2 but also your solution does not work.
I wait for new tips from everybody.

0 Karma
Reply

mekamundia
Explorer
‎10-31-2014 09:53 AM

I have tested the modify...
nothing new happened. The vodoo remains... 😞

0 Karma
Reply

somesoni2
Revered Legend
‎10-31-2014 11:38 AM

Try maxresults attribute in alert_actions.conf and action.email.maxresults in savedsearches.conf for your search

0 Karma
Reply

mekamundia
Explorer
‎10-31-2014 01:54 AM

Ok, I'll try again modifying [default] stanza.
The search runs at night: tomorrow i'llsee the results.

Thanks for your support !

0 Karma
Reply

mekamundia
Explorer
‎10-31-2014 01:44 AM

Hi MuS

Yesterday I have applied the modify to alert_actions. conf and restarted the search head (where the search is saved and runs).
But the wodoo remains :(...

What i missed?
I need some more tips !

cheers,
Mekamundia

0 Karma
Reply

MuS
Legend
‎10-31-2014 01:51 AM

uuppsss, looks like the maxinputs belongs to the [default] stanza and not the [email] in alert_actions.conf - sorry my bad

0 Karma
Reply

MuS
Legend
‎10-31-2014 01:47 AM

Did you try the action.email.maxinputs in savedsearch.conf as well?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...