Alerting

Is there a limit on the number of results that can be included in an email alert?

alextsui
Path Finder

Hello, The events in the csv file sent by alert action email is limited to 1000. Is this correct? How can I increase the limit?

thanks.

Tags (3)

hacktastic
Path Finder

Hi. I just upgraded from 4.0.11 had the same problem. After reading this thread and looking at the command in the email stanza in alerts_actions.conf, I found the problem, which corresponds with what vbumgarner posted. Specifically, in the old alert_actions.conf from 4.0.11, the command contained:

maxinputs="$maxinputs{default=100}$"

It should be:

maxinputs="$action.email.maxresults{default=1000}$"

Otherwise, maxresults=foo is meaningless, eh?

0 Karma

starks951
Explorer

We have been told by support to add:

maxinputs="$action.email.maxresults{default=10000}$"

To the alert_inputs.conf file, however this does not make it work.

Anyone else get this to work? At this point I have been told this won't be fixed until the next version (we are currently running 4.1.5) but need it to work NOW. If I run this query at the command line and pipe the output to a file will it give me the same limitation?

0 Karma

vbumgarner
Contributor

This is caused by a typo in the default alert_actions.conf, and will be fixed in the next release. For an immediate fix, add this to etc/system/local/alert_actions.conf:

[email]
command =  $action.email.preprocess_results{default=""}$ | sendemail "to=$action.email.to$" "server=$action.email.mailserver{default=localhost}$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$" "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$" "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$" maxinputs="$action.email.maxresults{default=1000}$" maxtime="$action.email.maxtime{default=5m}$"

Glenn
Builder

There has been a few releases since September 2010 now, and this is still not fixed as far as I can tell...

But thanks for the solution.

0 Karma

shirolu
Explorer

I modified to set the problem has not been changed

0 Karma

Simeon
Splunk Employee
Splunk Employee

There is a setting that dictates the maximum number of results that will be sent with any alert. This is the maxresults parameter that resides in the alert_actions.conf file. By default this is set to 100. For reference, you could set it to 2000 by adding this line to a $SPLUNK_HOME/etc/system/local/alert_actions.conf file:

maxresults=2000

http://www.splunk.com/base/Documentation/latest/Admin/Alertactionsconf

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...