Getting Data In

How do I get more than 10,000 results in the CSV file attached to a scheduled report email?

Communicator

Hi,

I have scheduled a report to get an email with an attachment of the results as CSV for the 1st of every month.

My report is giving around 30000 results. When I run it in Splunk, it is showing all results and when I download as CSV from Splunk, it is showing all 30000 results. However, the CSV file I got it from the scheduled report email is showing only 10,000 values with the message of

"Only the first 10000 of total results are included in the attached csv."

but I want all the results, not only first 10,000 results. Is there any chance to get all the results?

Please help me to do this.

Thanks in advance

Using the Web GUI, modify just this one report you want to change. Try to go into Edit - Advanced Edit. The scroll down to action.email.maxresults . The default value is there for 10000. Add another zero (0) so it reads 100000.

alt text

Revered Legend

This is the default limit for csv export from a saved search. If you've access to configuration files on the search head, consider increasing following property for your saved search.

savedsearches.conf
action.email.maxresults = <integer>
* Set the maximum number of results to be emailed.
* Any alert-level results threshold greater than this number will be capped at
  this level.
* This value affects all methods of result inclusion by email alert: inline,
  CSV and PDF.
* Note that this setting is affected globally by "maxresults" in the [email]
  stanza of alert_actions.conf.
* Defaults to 10000

You can also look at the option of outputcsv command if you just want to export data (not through email)

Motivator

I have over 20 savedsearches.conf files in my etc directory. This comment is not helpful.

Ultra Champion
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!