Solved: When creating an alert that creates a .csv file to...

SamHTexas · ‎04-29-2021

When creating an alert that creates a .csv file to be emailed , the .csv contains 9000 with an error that only the first 9000 of the 40,000 results are included. Please advise.

s2_splunk · ‎04-29-2021

There is a setting in the alerting search (savedsearches.conf) called

action.email.maxresults

The default is 10000, not sure why you are getting 9000, maybe it was overwritten.

But that's where I would look first.

View solution in original post

s2_splunk · ‎04-29-2021

There is a setting in the alerting search (savedsearches.conf) called

action.email.maxresults

The default is 10000, not sure why you are getting 9000, maybe it was overwritten.

But that's where I would look first.

SamHTexas · ‎04-29-2021

Please tell me where do I find this savedsearches.conf file. Which server is it on?

s2_splunk · ‎04-29-2021

(Saved) searches are initiated on the Search Head; you should find it there.

You can also see the settings in effect in the UI under Settings->Searches, reports, and alerts if you select "Advanced Edit" from the dropdown for the relevant alerting search:

When creating an alert that creates a .csv file to be emailed , the .csv contains 9000 with an error.

saved search

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio