topic Search generates this error - Regex: regular expression is too large in Splunk Search

Search generates this error - Regex: regular expression is too large

jwhughes58 — Thu, 03 Oct 2024 16:26:01 GMT

This is the search with some anonymization.

The deepest subsearch returns a list of managers that report to a director, 10 names. The subsearch returns a list of users who report to those managers, 1137 names. If I run the search like this, I get output.

index=index_1 sourcetype=sourcetype_1 field_1 IN (1137 entries)

I can't find a reason that the first search returns this, 'Regex: regular expression is too large', since there is no command that uses regex. I can run each subsearch without any issues. I can't find anything in the _internal index. Any thoughts on why this is happening or a better search?

TIA,

Joe

Re: Search generates this error - Regex: regular expression is too large

sainag_splunk — Thu, 03 Oct 2024 17:00:24 GMT

Hello! There could be a regex defined on that sourcetype. Please run a btool on the backend for that sourcetype and figure out if you find any spaces or typos in that regex, then try to remove them.

/opt/splunk/bin/splunk btool validate-regex --debug

I would check out the search.log instead on whats happening there.

Hope this helps.

Re: Search generates this error - Regex: regular expression is too large

jwhughes58 — Thu, 03 Oct 2024 17:16:01 GMT

@sainag_splunkThe command doesn't return anything. Is there supposed to be an index or sourcetype in the command?

Re: Search generates this error - Regex: regular expression is too large

sainag_splunk — Thu, 03 Oct 2024 18:07:09 GMT

First Lets find the transforms.conf by running the below btool.

opt/splunk/bin/splunk btool transforms list --debug | grep sourcetype_1

Then you can try something like this on your transforms.conf from the above the app?

splunk@idx1:/opt/splunk/bin$ /opt/splunk/bin/splunk btool validate-regex /opt/splunk/etc/apps/learned/local/transforms.conf --debug Bad regex value: '-zA-Z0-9_\.]+)=\"?([a-zA-Z0-9_\.:-]+)', of param: transforms.conf / [metrics_field_extraction] / REGEX; why: unmatched closing parenthesis

Re: Search generates this error - Regex: regular expression is too large

jwhughes58 — Thu, 03 Oct 2024 21:45:15 GMT

@sainag_splunkI didn't get any results back from the searches. This isn't surprising since the information is a csv file ingested by Splunk for reference. We don't do any modifications of the data.

Re: Search generates this error - Regex: regular expression is too large

jwhughes58 — Thu, 03 Oct 2024 21:54:31 GMT

The solution was filtering what was returned. The search went from 1139 users reporting up to 233. The 233 didn't error.

Re: Search generates this error - Regex: regular expression is too large

jwhughes58 — Thu, 03 Oct 2024 21:56:49 GMT

Thanks for the assistance @sainag_splunk . I didn't know about some of the btool options. I normally do

btool --debug [inputs|props|transforms] list <stanza>