Alerting

Why does my search return results as expected, but saving the same search as an alert does not return all data fields?

susenstoob
New Member

So when I perform a search using criteria that I want, it works. If I export those results to a CSV, I am given ALL of the data fields (which is what I want). However when I then save this search as an alert, then that alert is triggered, I have it email a CSV of the results. However that CSV is missing 75% of the data fields. The results are exactly the same as the search, just missing many columns of data that I need.

0 Karma

nisu
Explorer

You can try by updating your query as follows:

Provide fieldname= * at starting of your query which you are using as chart or stats at the end. I think saved search is by default running in fast mode.

If the above is not working then try the following property in savedsearches.conf

action.email.maxresults = <integer>
 * Set the maximum number of results to be emailed.
 * Any alert-level results threshold greater than this number will be capped at
   this level.
 * This value affects all methods of result inclusion by email alert: inline,
   CSV and PDF.
 * Note that this setting is affected globally by "maxresults" in the [email]
   stanza of alert_actions.conf.
 * Defaults to 10000
0 Karma

susenstoob
New Member

Thanks Nisu, tried your first suggestion, but then the search returns 0 results. Also, just FYI, I have tried both fast mode and verbose mode. The search works the same in both fashions, and then the emailed report again is still missing many fields.

Tried your 2nd suggestion, again no change. Though I believe that is only to change the amount of results, my search and report is no where close to 10k.

Any other ideas?

0 Karma

amgibby
Engager

Saved searches have a different behavior than ad hoc searches in that they only return requested fields. You need to explicitly state what fields you want returned with the fields command. Alternatively, you can use the command to return all fields:

<your search string> | fields *

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...