I have changed action.email.maxresults for one of my savedsearch from 10000 to 100000 but that is not working and I don't want to set it globally in limits.conf and alert_actions.conf as mentioned in
as by doing this it will be for all jobs.
Can anyone suggest why this setting action.email.maxresults in savedsearches.conf didn't worked ?
What is the search? If it has a
sort command in it that will limit the results.
action.email = 1
action.email.include.resultslink = 0
action.email.maxresults = 100000
action.email.sendcsv = 1
action.email.sendresults = 1
action.email.to = xxxxxxxxxxxxx
action.email.useNSSubject = 1
alert.track = 0
cronschedule = 45 13 * * *
dispatch.earliesttime = -7d@d
dispatch.latesttime = @d
when you set "action.email.maxresults", in the conf file, did you restart splunk after doing so? also, that parameter is available, in the GUI, under "advanced settings/edit" for that search
Yes, i am aware of that parameter is available in GUI under advance settings for that search.
If we change this setting from here, does splunk requires restart ?