https://community.splunk.com/t5/Splunk-Search/Regex-error-exceeded-configured-match-limit/m-p/469891#M132224 <P>any reason why you are performing a greedy rex<BR /> consider changing to this</P> <PRE><CODE> rex field=_raw "NETWORK_STATE (?&lt;Option1&gt;\w+)(?&lt;Option2&gt;.*?)\- - -+\s+\"(?&lt;NN1&gt;.*?)\"" Basically , try replacing the MN fields .* with .*? </CODE></PRE> <P>There are other fantastic answers here - <BR /> <A href="https://answers.splunk.com/answers/35098/rex-matching-everything-until-a-tab.html">https://answers.splunk.com/answers/35098/rex-matching-everything-until-a-tab.html</A><BR /> AND<BR /> <A href="https://answers.splunk.com/answers/727560/rex-has-exceeded-configured-match-limit.html">https://answers.splunk.com/answers/727560/rex-has-exceeded-configured-match-limit.html</A><BR /> AND<BR /> <A href="https://answers.splunk.com/answers/581183/is-my-rex-right-rex-has-exceeded-configured-match.html">https://answers.splunk.com/answers/581183/is-my-rex-right-rex-has-exceeded-configured-match.html</A></P> <P>Just to cite a few</P> Sat, 31 Aug 2019 10:04:46 GMT Sukisen1981 2019-08-31T10:04:46Z https://community.splunk.com/t5/Splunk-Search/Regex-error-exceeded-configured-match-limit/m-p/469890#M132223 <P>Hi Splunkers,</P> <P>I'm running Splunk 7.0.1 and having some problems to parse variables using regex in a search.</P> <P>This is my data, in one line only:</P> <OL> <LI>Aug 30 19:40:41 10.181.132.181 1 2019-08-30T19:40:30.729124-04:00 bones NETWORK_STATE FACILITIES LINKS - - - "All Power 1":1,"All Power 2":0,"Five Stars 1":1,"Five Stars 2":1,"Five Stars 3":1,"Five Stars 4":1,"Five Stars 5":1,"Five Stars 6":1,"Five Stars 7":1,"Five Stars Power":0,"Telefive Shark 1":1,"Telefive Shark 2":1,"Infinity 1":1,"Infinity 2":1,"Infinity 3":1,"OutSourcing":1,"Unitel":1,"Longside":1,"Tele Power":1,"Digilast 1":1,"Digilast 2":1</LI> </OL> <P>I'm trying to extract some fileds, like:</P> <PRE><CODE>Option1: FACILITIES Option2: LINKS NN1: "All Power 1" Link_State1: 1 . . . NN21: "Digilast 2" Link_State21: 1 </CODE></PRE> <P>The regular expresion that I'm trying to use is:</P> <PRE><CODE>NETWORK_STATE (?&lt;Option1&gt;\w+) (?&lt;Option2&gt;\w+) - - - (?&lt;NN1&gt;.*):(?&lt;Link_State1&gt;.)(?&lt;NN2&gt;.*):(?&lt;Link_State2&gt;.)(?&lt;NN3&gt;.*):(?&lt;Link_State3&gt;.)(?&lt;NN4&gt;.*):(?Link_State4&gt;.) (?&lt;NN5&gt;.*):(?&lt;Link_State5&gt;.)(?&lt;NN6&gt;.*):(?&lt;Link_State6&gt;.)(?&lt;NN7&gt;.*):(?&lt;Link_State7&gt;.)(?&lt;NN8&gt;.*):(?&lt;Link_State8&gt;.) (?&lt;NN9&gt;.*):(?&lt;Link_State9&gt;.)(?&lt;NN10&gt;.*):(?&lt;Link_State10&gt;..)(?&lt;NN11&gt;.*):(?&lt;Link_State11&gt;..)(?&lt;NN12&gt;.*):(?&lt;Link_State12&gt;..) (?&lt;NN13&gt;.*):(?&lt;Link_State13&gt;..)(?&lt;NN14&gt;.*):(?&lt;Link_State14&gt;..)(?&lt;NN15&gt;.*):(?&lt;Link_State15&gt;..)(?&lt;NN16&gt;.*):(?&lt;Link_State16&gt;..) (?&lt;NN17&gt;.*):(?&lt;Link_State17&gt;..)(?&lt;NN18&gt;.*):(?&lt;Link_State18&gt;..)(?&lt;NN19&gt;.*):(?&lt;Link_State19&gt;..)(?&lt;NN20&gt;.*):(?&lt;Link_State20&gt;..) (?&lt;NN21&gt;.*):(?&lt;Link_State21&gt;..) </CODE></PRE> <P>But I've got the following error:</P> <PRE><CODE>Error in 'rex' command: regex="NETWORK_STATE (?&lt;Option1&gt;\w+) (?&lt;Option2&gt;\w+) - - - (?&lt;NN1&gt;.*),(?&lt;NN10&gt;.*):(?&lt;Link_State10&gt;.), (?&lt;NN11&gt;.*):(?&lt;Link_State11&gt;.),(?&lt;NN12&gt;.*):(?&lt;Link_State12&gt;.),(?&lt;NN13&gt;.*):(?&lt;Link_State13&gt;.),(?&lt;NN14&gt;.*):(?&lt;Link_State14&gt;.),(? &lt;NN15&gt;.*):(?&lt;Link_State15&gt;.),(?&lt;NN16&gt;.*):(?&lt;Link_State16&gt;.),(?&lt;NN17&gt;.*):(?&lt;Link_State17&gt;.),(?&lt;NN18&gt;.*):(?&lt;Link_State18&gt;.),(? &lt;NN19&gt;.*):(?&lt;Link_State19&gt;.),(?&lt;NN20&gt;.*):(?&lt;Link_State20&gt;.),(?&lt;NN21&gt;.*):(?&lt;Link_State21&gt;.)" has exceeded configured match_limit, consider raising the value in limits.conf </CODE></PRE> <P>Looking for the error, I've learnt that there is better ways to achieve my goal. Please, could yo enlight me?</P> <P>Regards</P> <P>Pedro</P> Sat, 31 Aug 2019 01:19:45 GMT https://community.splunk.com/t5/Splunk-Search/Regex-error-exceeded-configured-match-limit/m-p/469890#M132223 prsepulv 2019-08-31T01:19:45Z https://community.splunk.com/t5/Splunk-Search/Regex-error-exceeded-configured-match-limit/m-p/469891#M132224 <P>any reason why you are performing a greedy rex<BR /> consider changing to this</P> <PRE><CODE> rex field=_raw "NETWORK_STATE (?&lt;Option1&gt;\w+)(?&lt;Option2&gt;.*?)\- - -+\s+\"(?&lt;NN1&gt;.*?)\"" Basically , try replacing the MN fields .* with .*? </CODE></PRE> <P>There are other fantastic answers here - <BR /> <A href="https://answers.splunk.com/answers/35098/rex-matching-everything-until-a-tab.html">https://answers.splunk.com/answers/35098/rex-matching-everything-until-a-tab.html</A><BR /> AND<BR /> <A href="https://answers.splunk.com/answers/727560/rex-has-exceeded-configured-match-limit.html">https://answers.splunk.com/answers/727560/rex-has-exceeded-configured-match-limit.html</A><BR /> AND<BR /> <A href="https://answers.splunk.com/answers/581183/is-my-rex-right-rex-has-exceeded-configured-match.html">https://answers.splunk.com/answers/581183/is-my-rex-right-rex-has-exceeded-configured-match.html</A></P> <P>Just to cite a few</P> Sat, 31 Aug 2019 10:04:46 GMT https://community.splunk.com/t5/Splunk-Search/Regex-error-exceeded-configured-match-limit/m-p/469891#M132224 Sukisen1981 2019-08-31T10:04:46Z https://community.splunk.com/t5/Splunk-Search/Regex-error-exceeded-configured-match-limit/m-p/469892#M132225 <P>It works like a charm.</P> <P>Thank you very much...!!!</P> Sat, 31 Aug 2019 17:18:30 GMT https://community.splunk.com/t5/Splunk-Search/Regex-error-exceeded-configured-match-limit/m-p/469892#M132225 prsepulv 2019-08-31T17:18:30Z