Getting Data In

savedsearch not returing more than 10000 results

Communicator

I have changed action.email.maxresults for one of my savedsearch from 10000 to 100000 but that is not working and I don't want to set it globally in limits.conf and alert_actions.conf as mentioned in
https://answers.splunk.com/answers/542862/how-to-overcome-csv-max-results-to-email.html
as by doing this it will be for all jobs.
Can anyone suggest why this setting action.email.maxresults in savedsearches.conf didn't worked ?

Tags (3)
0 Karma

Esteemed Legend

We need WAY more detail. What "didn't work"? What is your search SPL?

0 Karma

Path Finder

when you set "action.email.maxresults", in the conf file, did you restart splunk after doing so? also, that parameter is available, in the GUI, under "advanced settings/edit" for that search

0 Karma

Communicator

Yes, i am aware of that parameter is available in GUI under advance settings for that search.
If we change this setting from here, does splunk requires restart ?

0 Karma

Path Finder

What version of Splunk are you using? I faced similar issue in advanced settings in 6.4 which later worked on 6.5

0 Karma

Communicator

We are using splunk 7.0.3

0 Karma

SplunkTrust
SplunkTrust

What is the search? If it has a sort command in it that will limit the results.

---
If this reply helps you, an upvote would be appreciated.

Communicator

Hi @richgallow
thanks for looking into it. Search I can't paste here, but its not using sort command

0 Karma

SplunkTrust
SplunkTrust

Run the btool command to see what settings are applied

./splunk btool savedsearches list YourSavedSearchNameHere --debug
0 Karma

Communicator

[xxxxxxxxxxxxxxxxxxxxxxxx]
action.email = 1
action.email.include.resultslink = 0
action.email.maxresults = 100000
action.email.sendcsv = 1
action.email.sendresults = 1
action.email.to = xxxxxxxxxxxxx
action.email.useNSSubject = 1
alert.track = 0
cron
schedule = 45 13 * * *
dispatch.earliesttime = -7d@d
dispatch.latest
time = @d

0 Karma