After playing around with this I was able to get over the 10k or 50k results. This required all 3 settings on the search head.
$SPLUNK_HOME/etc/system/local/limits.conf
[scheduler]
max_action_results = 175000
[searchresults]
maxresultrows = 175000
$SPLUNK_HOME/etc/system/local/alert_actions.conf
[default]
maxresults = 175000
this enables an email alert containg a .csv to have 175k rows
Note: When I pushed the same configs from deployer and they ended up in an app/default as it should, but my .csv was limited to 10k rows.. when i put it straight on $SPLUNK_HOME/etc/system/local via cli on each member I got 175k rows in the csv
... View more