Reporting

Stop email truncate?

freitagb
Engager

I have a saved search that's running properly and alerts being sent at the appropriate times, but unfortunately the data being sent in email is truncated; hence the message in the email:

NOTE: Search results in this email might have been truncated. Please visit the search job page to view the full resultset

Is there a way to overcome this limitation?

Tags (3)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

The maximum is 10000 by default. I would ask you to think very hard about whether you really want a file with more than 10000 items sent to you, and what use you would make of such a file (that might not be better done by fetching the results directly from Splunk). Nevertheless, you can change the limit by setting action.email.maxresults under the saved search's settings in savedsearches.conf.

http://docs.splunk.com/Documentation/Splunk/latest/admin/savedsearchesconf

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

The maximum is 10000 by default. I would ask you to think very hard about whether you really want a file with more than 10000 items sent to you, and what use you would make of such a file (that might not be better done by fetching the results directly from Splunk). Nevertheless, you can change the limit by setting action.email.maxresults under the saved search's settings in savedsearches.conf.

http://docs.splunk.com/Documentation/Splunk/latest/admin/savedsearchesconf

kearaspoor
SplunkTrust
SplunkTrust

If your output is greater than 50,000 rows, the above change to savedsearches.conf may also need to be paired with a change to limits.conf stanza:

max_action_results =
* The maximum number of results to load when triggering an alert action.
* Defaults to 50000

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Limitsconf

I'd also strongly suggest only making changes to this stanza with excessive caution since it's a global setting that's not restricted per-search.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...