Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I get more than 10,000 results in the CSV file attached to a scheduled report email?

Laya123
Communicator
‎02-23-2016 07:24 AM

Hi,

I have scheduled a report to get an email with an attachment of the results as CSV for the 1st of every month.

My report is giving around 30000 results. When I run it in Splunk, it is showing all results and when I download as CSV from Splunk, it is showing all 30000 results. However, the CSV file I got it from the scheduled report email is showing only 10,000 values with the message of 

"Only the first 10000 of total results are included in the attached csv."

but I want all the results, not only first 10,000 results. Is there any chance to get all the results?

Please help me to do this.

Thanks in advance

Reply

jaxjohnny2000
Builder
‎07-18-2019 07:09 AM

Using the Web GUI, modify just this one report you want to change. Try to go into Edit - Advanced Edit. The scroll down to action.email.maxresults . The default value is there for 10000. Add another zero (0) so it reads 100000.

alt text

Reply

somesoni2
Revered Legend
‎02-23-2016 07:36 AM

This is the default limit for csv export from a saved search. If you've access to configuration files on the search head, consider increasing following property for your saved search.

savedsearches.conf
action.email.maxresults = <integer>
* Set the maximum number of results to be emailed.
* Any alert-level results threshold greater than this number will be capped at
  this level.
* This value affects all methods of result inclusion by email alert: inline,
  CSV and PDF.
* Note that this setting is affected globally by "maxresults" in the [email]
  stanza of alert_actions.conf.
* Defaults to 10000

You can also look at the option of outputcsv command if you just want to export data (not through email)

Reply

nick405060
Motivator
‎08-16-2018 10:50 AM

I have over 20 savedsearches.conf files in my etc directory. This comment is not helpful.

Reply

ddrillic
Ultra Champion
‎02-23-2016 07:27 AM

Similar but different case - https://answers.splunk.com/answers/177137/why-my-splunk-alert-only-include-1000-results-in-a.html

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...