https://community.splunk.com/t5/Splunk-Enterprise/Optimized-Rex/m-p/699018#M20228 <P>Thank you!<BR />Unfortuantely</P> <LI-CODE lang="markup">| rex "#HLS#\s*IID:\s*(?P&lt;IID&gt;[^,]+),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*(?P&lt;STEP&gt;[^,]+),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*[^,]+,\s*PKEY:\s*(?P&lt;PKEY&gt;.*?),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*[^,]+,\s*PKEY:\s*.*?,\s*STATE:\s*(?P&lt;STATE&gt;[^,]+),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*[^,]+,\s*PKEY:\s*.*?,\s*STATE:\s*[^,]+,\s*MSG0:\s*(?P&lt;MSG0&gt;.*?),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*[^,]+,\s*PKEY:\s*.*?,\s*STATE:\s*[^,]+,\s*MSG0:\s*.*?,\s*EXCID:\s*(?P&lt;EXCID&gt;[a-zA-Z_]+),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*[^,]+,\s*PKEY:\s*.*?,\s*STATE:\s*[^,]+,\s*MSG0:\s*.*?,\s*EXCID:\s*[a-zA-Z_]+,\s*PROPS:\s*(?P&lt;PROPS&gt;[^#]+)\s*#HLE#"</LI-CODE> <P>did not help much.<BR /><BR /></P> Fri, 13 Sep 2024 19:19:10 GMT ivoZgu 2024-09-13T19:19:10Z https://community.splunk.com/t5/Splunk-Enterprise/Optimized-Rex/m-p/698905#M20215 <P>Hey All,<BR />Can anybody help me with optimization of this rex:<BR />| rex "#HLS#\s*IID:\s*(?P&lt;IID&gt;[^,]+),\s*STEP:\s*(?P&lt;STEP&gt;[^,]+),\s*PKEY:\s*(?P&lt;PKEY&gt;.*?),\s*STATE:\s*(?P&lt;STATE&gt;[^,]+),\s*MSG0:\s*(?P&lt;MSG0&gt;.*?),\s*EXCID:\s*(?P&lt;EXCID&gt;[a-zA-Z_]+),\s*PROPS:\s*(?P&lt;PROPS&gt;[^#]+)\s*#HLE#"<BR /><BR />Example log:<BR />"#HLS# IID: EB_FILE_S, STEP: SEND_TOF, PKEY: Ids:100063604006, 1000653604006, 6000125104001, 6000135104001, 6000145104001, 6000155104001, STATE: IN_PROGRESS, MSG0: Sending request to K, EXCID: dcd, PROPS: EVENT_TYPE: SEND_TO_S, asd: asd #HLE#<BR /><BR />ERROR:<BR />"<SPAN>Streamed search execute failed because: Error in 'rex' command: regex="#HLS#\s*IID:\s*(?P&lt;IID&gt;[^,]+),\s*STEP:\s*(?P&lt;STEP&gt;[^,]+),\s*PKEY:\s*(?P&lt;PKEY&gt;.*?),\s*STATE:\s*(?P&lt;STATE&gt;[^,]+),\s*MSG0:\s*(?P&lt;MSG0&gt;.*?),\s*EXCID:\s*(?P&lt;EXCID&gt;[a-zA-Z_]+),\s*PROPS:\s*(?P&lt;PROPS&gt;[^#]+)\s*#HLE#" has exceeded configured match_limit, consider raising the value in limits.conf.</SPAN>"<BR /><BR /></P> Fri, 13 Sep 2024 07:50:24 GMT https://community.splunk.com/t5/Splunk-Enterprise/Optimized-Rex/m-p/698905#M20215 ivoZgu 2024-09-13T07:50:24Z https://community.splunk.com/t5/Splunk-Enterprise/Optimized-Rex/m-p/698907#M20216 <P>Something is not quite right here</P><UL><LI>Your regex string is missing some question marks (although they do appear to be in your error message!)</LI><LI>Your error message says you have hit a limit with max_match, but your rex command doesn't appear to be using max_match and your sample log is a single line so even if you were using max_match there would only be one set of results</LI></UL><P>Please can you clarify / expand your question</P> Thu, 12 Sep 2024 13:08:57 GMT https://community.splunk.com/t5/Splunk-Enterprise/Optimized-Rex/m-p/698907#M20216 ITWhisperer 2024-09-12T13:08:57Z https://community.splunk.com/t5/Splunk-Enterprise/Optimized-Rex/m-p/698973#M20224 <P>Hey&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;,<BR />You are absolutely right, just have edited the rex .<BR />I am not using max_match. This error appears once there are a lots of matching events.&nbsp;<BR />On the other hand rex with less steps and one property (exclude EXCID) less achieves to retrieve all events and no error thrown.<BR /><BR /></P> <LI-CODE lang="markup">| rex "#HLS#\s*IID:\s*(?P&lt;IID&gt;[^,]+),\s*STEP:\s*(?P&lt;STEP&gt;[^,]+),\s*PKEY:\s*(?P&lt;PKEY&gt;.*?),\s*STATE:\s*(?P&lt;STATE&gt;[^,]+),\s*MSG0:\s*(?P&lt;MSG0&gt;.*?),\s*PROPS:\s*(?P&lt;PROPS&gt;[^#]+)\s*#HLE#"</LI-CODE> <P><BR /><BR />Thanks!<BR />BR,<BR />Ivo</P> Fri, 13 Sep 2024 14:06:46 GMT https://community.splunk.com/t5/Splunk-Enterprise/Optimized-Rex/m-p/698973#M20224 ivoZgu 2024-09-13T14:06:46Z https://community.splunk.com/t5/Splunk-Enterprise/Optimized-Rex/m-p/698982#M20226 <P>Try braking the large rex up into smaller chunks</P><LI-CODE lang="markup">| rex "#HLS#\s*IID:\s*(?P&lt;IID&gt;[^,]+),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*(?P&lt;STEP&gt;[^,]+),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*[^,]+,\s*PKEY:\s*(?P&lt;PKEY&gt;.*?),\s*.*#HLE#" and so on</LI-CODE> Fri, 13 Sep 2024 09:02:09 GMT https://community.splunk.com/t5/Splunk-Enterprise/Optimized-Rex/m-p/698982#M20226 ITWhisperer 2024-09-13T09:02:09Z https://community.splunk.com/t5/Splunk-Enterprise/Optimized-Rex/m-p/699018#M20228 <P>Thank you!<BR />Unfortuantely</P> <LI-CODE lang="markup">| rex "#HLS#\s*IID:\s*(?P&lt;IID&gt;[^,]+),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*(?P&lt;STEP&gt;[^,]+),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*[^,]+,\s*PKEY:\s*(?P&lt;PKEY&gt;.*?),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*[^,]+,\s*PKEY:\s*.*?,\s*STATE:\s*(?P&lt;STATE&gt;[^,]+),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*[^,]+,\s*PKEY:\s*.*?,\s*STATE:\s*[^,]+,\s*MSG0:\s*(?P&lt;MSG0&gt;.*?),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*[^,]+,\s*PKEY:\s*.*?,\s*STATE:\s*[^,]+,\s*MSG0:\s*.*?,\s*EXCID:\s*(?P&lt;EXCID&gt;[a-zA-Z_]+),\s*.*#HLE#" | rex "#HLS#\s*IID:\s*[^,]+,\s*STEP:\s*[^,]+,\s*PKEY:\s*.*?,\s*STATE:\s*[^,]+,\s*MSG0:\s*.*?,\s*EXCID:\s*[a-zA-Z_]+,\s*PROPS:\s*(?P&lt;PROPS&gt;[^#]+)\s*#HLE#"</LI-CODE> <P>did not help much.<BR /><BR /></P> Fri, 13 Sep 2024 19:19:10 GMT https://community.splunk.com/t5/Splunk-Enterprise/Optimized-Rex/m-p/699018#M20228 ivoZgu 2024-09-13T19:19:10Z https://community.splunk.com/t5/Splunk-Enterprise/Optimized-Rex/m-p/699034#M20232 <P>Try reducing the lines until the error goes away to find out where the breakpoint is</P> Fri, 13 Sep 2024 15:42:34 GMT https://community.splunk.com/t5/Splunk-Enterprise/Optimized-Rex/m-p/699034#M20232 ITWhisperer 2024-09-13T15:42:34Z