Getting Data In
Highlighted

savedsearch not returing more than 10000 results

Communicator

I have changed action.email.maxresults for one of my savedsearch from 10000 to 100000 but that is not working and I don't want to set it globally in limits.conf and alert_actions.conf as mentioned in
https://answers.splunk.com/answers/542862/how-to-overcome-csv-max-results-to-email.html
as by doing this it will be for all jobs.
Can anyone suggest why this setting action.email.maxresults in savedsearches.conf didn't worked ?

Tags (3)
0 Karma
Highlighted

Re: savedsearch not returing more than 10000 results

SplunkTrust
SplunkTrust

What is the search? If it has a sort command in it that will limit the results.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: savedsearch not returing more than 10000 results

Communicator

Hi @richgallow
thanks for looking into it. Search I can't paste here, but its not using sort command

0 Karma
Highlighted

Re: savedsearch not returing more than 10000 results

SplunkTrust
SplunkTrust

Run the btool command to see what settings are applied

./splunk btool savedsearches list YourSavedSearchNameHere --debug
0 Karma
Highlighted

Re: savedsearch not returing more than 10000 results

Communicator

[xxxxxxxxxxxxxxxxxxxxxxxx]
action.email = 1
action.email.include.resultslink = 0
action.email.maxresults = 100000
action.email.sendcsv = 1
action.email.sendresults = 1
action.email.to = xxxxxxxxxxxxx
action.email.useNSSubject = 1
alert.track = 0
cron
schedule = 45 13 * * *
dispatch.earliesttime = -7d@d
dispatch.latest
time = @d

0 Karma
Highlighted

Re: savedsearch not returing more than 10000 results

Path Finder

What version of Splunk are you using? I faced similar issue in advanced settings in 6.4 which later worked on 6.5

0 Karma
Highlighted

Re: savedsearch not returing more than 10000 results

Communicator

We are using splunk 7.0.3

0 Karma
Highlighted

Re: savedsearch not returing more than 10000 results

Path Finder

when you set "action.email.maxresults", in the conf file, did you restart splunk after doing so? also, that parameter is available, in the GUI, under "advanced settings/edit" for that search

0 Karma
Highlighted

Re: savedsearch not returing more than 10000 results

Communicator

Yes, i am aware of that parameter is available in GUI under advance settings for that search.
If we change this setting from here, does splunk requires restart ?

0 Karma
Highlighted

Re: savedsearch not returing more than 10000 results

Esteemed Legend

We need WAY more detail. What "didn't work"? What is your search SPL?

0 Karma