https://community.splunk.com/t5/Splunk-Search/Optimize-Regex/m-p/679324#M232224 <P>Good to know, thanks, works perfectly.</P><P>&nbsp;</P> Fri, 01 Mar 2024 17:25:25 GMT secphilomath1 2024-03-01T17:25:25Z https://community.splunk.com/t5/Splunk-Search/Optimize-Regex/m-p/679222#M232194 <P>I am getting an error when using the following regex<BR /><BR />(?&lt;=on\s)(.*)(?=\sby Firewall Settings)<BR /><BR />The error is "<SPAN>Error in 'rex' command: regex="(?&lt;=on\s)(.*)(?&lt;HostName&gt;.*)(?=\sby Firewall Settings)" has exceeded configured match_limit, consider raising the value in limits.conf."<BR /><BR /></SPAN>Is there a better way to do this,&nbsp; I am trying to find all text between "on " and " by Firewall Settings.&nbsp; It works in regex101.com, but I get that error in Splunk.</P><P>&nbsp;</P><P>TIA!</P><P>&nbsp;</P> Fri, 01 Mar 2024 00:52:21 GMT https://community.splunk.com/t5/Splunk-Search/Optimize-Regex/m-p/679222#M232194 secphilomath1 2024-03-01T00:52:21Z https://community.splunk.com/t5/Splunk-Search/Optimize-Regex/m-p/679224#M232195 <P>It would help to have a sample (sanitized) event to work with.</P><P>Avoid lookbehind and lookahead in Splunk.&nbsp; They're costly and rarely necessary.&nbsp; Try</P><LI-CODE lang="markup">on\s(?&lt;HostName&gt;\S*)\sby Firewall Settings</LI-CODE> Fri, 01 Mar 2024 01:13:24 GMT https://community.splunk.com/t5/Splunk-Search/Optimize-Regex/m-p/679224#M232195 richgalloway 2024-03-01T01:13:24Z https://community.splunk.com/t5/Splunk-Search/Optimize-Regex/m-p/679324#M232224 <P>Good to know, thanks, works perfectly.</P><P>&nbsp;</P> Fri, 01 Mar 2024 17:25:25 GMT https://community.splunk.com/t5/Splunk-Search/Optimize-Regex/m-p/679324#M232224 secphilomath1 2024-03-01T17:25:25Z