https://community.splunk.com/t5/Getting-Data-In/How-to-make-my-regex-more-efficient/m-p/562015#M100110 <P>Can you share sample event?</P> Wed, 04 Aug 2021 05:28:45 GMT venkatasri 2021-08-04T05:28:45Z https://community.splunk.com/t5/Getting-Data-In/How-to-make-my-regex-more-efficient/m-p/561998#M100100 <P>Hi, I've exceeded my&nbsp;configured match_limit in limits.conf with this regex:</P><P><SPAN>"log":\s"(?&lt;log_source&gt;.*?)\s(?&lt;ISO8601&gt;.*?)\| (?&lt;exchangeId&gt;.*?)\|(?&lt;AUDIT_trackingId&gt;.*?)\| (?&lt;client_ip&gt;.*?)\|(?&lt;FAPI_ip&gt;.*?)\|(?&lt;AUDIT_roundTripMS&gt;.*?) ms\| (?&lt;AUDIT_proxyRoundTripMS&gt;.*?) ms\| (?&lt;AUDIT_userInfoRoundTripMS&gt;.*?) ms\| (?&lt;AUDIT_resource&gt;.*?)\s\[\]\s\/(?&lt;AUDIT_subject&gt;.*?)\/\*\:(?&lt;dest_port&gt;.*?)\|(?&lt;AUDIT_authMech&gt;.*?)\|(?&lt;AUDIT_scopes&gt;.*?)\| (?&lt;AUDIT_client&gt;.*?)\| (?&lt;AUDIT_method&gt;.*?)\| (?&lt;AUDIT_requestUri&gt;[^\s\?"|]++)(?&lt;uri_query&gt;\?[^\s"]*)?.*?\| (?&lt;AUDIT_responseCode&gt;.*?)\|(?&lt;AUDIT_failedRuleType&gt;.*?)\|(?&lt;AUDIT_failedRuleName&gt;.*?)\| (?&lt;AUDIT_applicationName&gt;.*?)\| (?&lt;AUDIT_resourceName&gt;.*?)\| (?&lt;AUDIT_pathPrefix&gt;.*?)\s</SPAN></P><P>Is there a way to make it more efficient? Please advise</P> Wed, 04 Aug 2021 02:00:20 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-make-my-regex-more-efficient/m-p/561998#M100100 ebs 2021-08-04T02:00:20Z https://community.splunk.com/t5/Getting-Data-In/How-to-make-my-regex-more-efficient/m-p/562003#M100105 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/228215">@ebs</a>&nbsp;</P><P>The format of logs seems PSV format why don't you use delimiter based extractions?</P><P>Do not use * be specific, the list goes on...</P> Wed, 04 Aug 2021 02:48:29 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-make-my-regex-more-efficient/m-p/562003#M100105 venkatasri 2021-08-04T02:48:29Z https://community.splunk.com/t5/Getting-Data-In/How-to-make-my-regex-more-efficient/m-p/562009#M100108 <P>Because its not all delimer based. If you could give me an example of making this extraction more efficient I would be apppreciative</P> Wed, 04 Aug 2021 04:54:21 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-make-my-regex-more-efficient/m-p/562009#M100108 ebs 2021-08-04T04:54:21Z https://community.splunk.com/t5/Getting-Data-In/How-to-make-my-regex-more-efficient/m-p/562014#M100109 <P>As&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/163730">@venkatasri</a>&nbsp; said, don't use * and be more specific e.g. (?&lt;auditid&gt;\S+) for non-whitespaces, but you know your data best so you should be able to define the pattern more rigorously</P> Wed, 04 Aug 2021 05:26:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-make-my-regex-more-efficient/m-p/562014#M100109 ITWhisperer 2021-08-04T05:26:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-make-my-regex-more-efficient/m-p/562015#M100110 <P>Can you share sample event?</P> Wed, 04 Aug 2021 05:28:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-make-my-regex-more-efficient/m-p/562015#M100110 venkatasri 2021-08-04T05:28:45Z