Reporting

csv result limits at 50000 events for ad-hoc sendemail command

mchang_splunk
Splunk Employee
Splunk Employee

I have tried increase max_result by referring to
https://answers.splunk.com/answers/542862/how-to-overcome-csv-max-results-to-email.html

However, when I do ad-hoc search sending out email, the results are still limited at 50000 events:
sourcetype=foo | sendemail to=foo@foo.com sendcsv=true subject="more than 50000 events"

What else should I do to increase the limit?

0 Karma
1 Solution

mchang_splunk
Splunk Employee
Splunk Employee

The limit is defined in command.conf.
However, you can either increase this value by assigning maxinputs

sourcetype=foo | sendemail to=foo@foo.com sendcsv=true subject="more than 50000 events" maxinputs=500000

OR

permanently increase default maxinputs value in command.conf:

# maximum data that can be passed to command (0 = no limit)
maxinputs = 500000

View solution in original post

0 Karma

mchang_splunk
Splunk Employee
Splunk Employee

The limit is defined in command.conf.
However, you can either increase this value by assigning maxinputs

sourcetype=foo | sendemail to=foo@foo.com sendcsv=true subject="more than 50000 events" maxinputs=500000

OR

permanently increase default maxinputs value in command.conf:

# maximum data that can be passed to command (0 = no limit)
maxinputs = 500000
0 Karma
Get Updates on the Splunk Community!

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...

ATTENTION!! We’re MOVING (not really)

Hey, all! In an effort to keep this Slack workspace secure and also to make our new members' experience easy, ...

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

  Whether you're running a complex Splunk deployment or just getting your bearings as a new admin, .conf25 ...