Hi. I just upgraded from 4.0.11 had the same problem. After reading this thread and looking at the command in the email stanza in alerts_actions.conf, I found the problem, which corresponds with what vbumgarner posted. Specifically, in the old alert_actions.conf from 4.0.11, the command contained:
maxinputs="$maxinputs{default=100}$"
It should be:
maxinputs="$action.email.maxresults{default=1000}$"
Otherwise, maxresults=foo is meaningless, eh?
We have been told by support to add:
maxinputs="$action.email.maxresults{default=10000}$"
To the alert_inputs.conf file, however this does not make it work.
Anyone else get this to work? At this point I have been told this won't be fixed until the next version (we are currently running 4.1.5) but need it to work NOW. If I run this query at the command line and pipe the output to a file will it give me the same limitation?
This is caused by a typo in the default alert_actions.conf, and will be fixed in the next release. For an immediate fix, add this to etc/system/local/alert_actions.conf:
[email]
command = $action.email.preprocess_results{default=""}$ | sendemail "to=$action.email.to$" "server=$action.email.mailserver{default=localhost}$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$" "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$" "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$" maxinputs="$action.email.maxresults{default=1000}$" maxtime="$action.email.maxtime{default=5m}$"
There has been a few releases since September 2010 now, and this is still not fixed as far as I can tell...
But thanks for the solution.
I modified to set the problem has not been changed
There is a setting that dictates the maximum number of results that will be sent with any alert. This is the maxresults parameter that resides in the alert_actions.conf file. By default this is set to 100. For reference, you could set it to 2000 by adding this line to a $SPLUNK_HOME/etc/system/local/alert_actions.conf file:
maxresults=2000
http://www.splunk.com/base/Documentation/latest/Admin/Alertactionsconf