CSV max results to email?

btshivanand · ‎08-11-2021

i have max results of 300000 in a report.But my shc is failing to send csv in a email. Please find the below settings.I tride to changed them to 300000 still its not working. Also i restarted after the change,

Fyi:the report containing lesser then 175000 they are working perfectly fine.

Can some one help me with this?

$SPLUNK_HOME/etc/system/local/limits.conf

[scheduler]

max_action_results = 175000

[searchresults]

maxresultrows = 175000

$SPLUNK_HOME/etc/system/local/alert_actions.conf

[default]

maxresults = 175000

codebuilder · ‎08-11-2021

You're on the right track with maxresults in alert_actions.conf but also need to update savedsearches.conf. You can control results there per search, or globally using [default].

savedsearches.conf
action.email.maxresults = <integer>
* Set the maximum number of results to be emailed.
* Any alert-level results threshold greater than this number will be capped at
this level.
* This value affects all methods of result inclusion by email alert: inline,
CSV and PDF.
* Note that this setting is affected globally by "maxresults" in the [email]
stanza of alert_actions.conf.
* Defaults to 10000

----
An upvote would be appreciated and Accept Solution if it helps!

isoutamo · ‎08-12-2021

Are you sure that all mail server can deliver that amount of data? You can check from internal logs if 1st smtp server take it in, but not for the rest.
r. Ismo

CSV max results to email?

scheduled search

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!