- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: savedsearch not returing more than 10000 resul...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
savedsearch not returing more than 10000 results
I have changed action.email.maxresults for one of my savedsearch from 10000 to 100000 but that is not working and I don't want to set it globally in limits.conf and alert_actions.conf as mentioned in
https://answers.splunk.com/answers/542862/how-to-overcome-csv-max-results-to-email.html
as by doing this it will be for all jobs.
Can anyone suggest why this setting action.email.maxresults in savedsearches.conf didn't worked ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We need WAY more detail. What "didn't work"? What is your search SPL?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
when you set "action.email.maxresults", in the conf file, did you restart splunk after doing so? also, that parameter is available, in the GUI, under "advanced settings/edit" for that search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, i am aware of that parameter is available in GUI under advance settings for that search.
If we change this setting from here, does splunk requires restart ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version of Splunk are you using? I faced similar issue in advanced settings in 6.4 which later worked on 6.5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are using splunk 7.0.3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the search? If it has a sort command in it that will limit the results.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @richgallow
thanks for looking into it. Search I can't paste here, but its not using sort command
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run the btool command to see what settings are applied
./splunk btool savedsearches list YourSavedSearchNameHere --debug
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[xxxxxxxxxxxxxxxxxxxxxxxx]
action.email = 1
action.email.include.results_link = 0
action.email.maxresults = 100000
action.email.sendcsv = 1
action.email.sendresults = 1
action.email.to = xxxxxxxxxxxxx
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 45 13 * * *
dispatch.earliest_time = -7d@d
dispatch.latest_time = @d
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
