I need to create an alert to send 250,000+ records in the CSV attachment.
Initially it allowed me to send only 10K results. Have added new stanzas in savedsearches.conf, alert_actions.conf and limits.conf. Below are the respective stanzas.
alert_actions.conf
[email]
command = $action.email.preprocess_results{default=""}$ | sendemail "to=$action.email.to$" "server=$action.email.mailserver{default=localhost}$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$" "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$" "pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$" maxinputs="$action.email.maxinputs{default=500000}$" maxtime="$action.email.maxtime{default=5m}$"
savedsearches.conf
action.email.maxresults =500000
dispatch.max_count =500000
limits.conf
[scheduler]
max_action_results = 500000
Currently able to send only 50K records.
Is there any stanza I need to add in any Config file to achieve this?
Thanks in advance.
↧