Re: CSV max results to email?

btshivanand · ‎08-11-2021

i have max results of 300000 in a report.But my shc is failing to send csv in a email. Please find the below settings.I tride to changed them to 300000 still its not working. Also i restarted after the change,

Fyi:the report containing lesser then 175000 they are working perfectly fine.

Can some one help me with this?

$SPLUNK_HOME/etc/system/local/limits.conf

[scheduler]

max_action_results = 175000

[searchresults]

maxresultrows = 175000

$SPLUNK_HOME/etc/system/local/alert_actions.conf

[default]

maxresults = 175000

codebuilder · ‎08-11-2021

You're on the right track with maxresults in alert_actions.conf but also need to update savedsearches.conf. You can control results there per search, or globally using [default].

savedsearches.conf
action.email.maxresults = <integer>
* Set the maximum number of results to be emailed.
* Any alert-level results threshold greater than this number will be capped at
this level.
* This value affects all methods of result inclusion by email alert: inline,
CSV and PDF.
* Note that this setting is affected globally by "maxresults" in the [email]
stanza of alert_actions.conf.
* Defaults to 10000

----
An upvote would be appreciated and Accept Solution if it helps!

isoutamo · ‎08-12-2021

Are you sure that all mail server can deliver that amount of data? You can check from internal logs if 1st smtp server take it in, but not for the rest.
r. Ismo

CSV max results to email?

scheduled search

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation