Getting Data In

How do I get more than 10,000 results in the CSV file attached to a scheduled report email?

Laya123
Communicator

Hi,

I have scheduled a report to get an email with an attachment of the results as CSV for the 1st of every month.

My report is giving around 30000 results. When I run it in Splunk, it is showing all results and when I download as CSV from Splunk, it is showing all 30000 results. However, the CSV file I got it from the scheduled report email is showing only 10,000 values with the message of

"Only the first 10000 of total results are included in the attached csv."

but I want all the results, not only first 10,000 results. Is there any chance to get all the results?

Please help me to do this.

Thanks in advance

jaxjohnny2000
Builder

Using the Web GUI, modify just this one report you want to change. Try to go into Edit - Advanced Edit. The scroll down to action.email.maxresults . The default value is there for 10000. Add another zero (0) so it reads 100000.

alt text

somesoni2
SplunkTrust
SplunkTrust

This is the default limit for csv export from a saved search. If you've access to configuration files on the search head, consider increasing following property for your saved search.

savedsearches.conf
action.email.maxresults = <integer>
* Set the maximum number of results to be emailed.
* Any alert-level results threshold greater than this number will be capped at
  this level.
* This value affects all methods of result inclusion by email alert: inline,
  CSV and PDF.
* Note that this setting is affected globally by "maxresults" in the [email]
  stanza of alert_actions.conf.
* Defaults to 10000

You can also look at the option of outputcsv command if you just want to export data (not through email)

nick405060
Motivator

I have over 20 savedsearches.conf files in my etc directory. This comment is not helpful.

ddrillic
Ultra Champion
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...