topic Rex has exceeded configured match_limit, consider raising the value in limits.conf. in Splunk Search

Rex has exceeded configured match_limit, consider raising the value in limits.conf.

majilan1 — Mon, 18 Nov 2024 20:59:29 GMT

Hi Splunkers, any help with Rex has exceeded configured match_limit, consider raising the value in limits.conf.

My search looks like this:

| index=abc index=def process=jkl | rex field=_raw ";(?<h_db_host>\w+);(?<h_instance_name>\w+);\d+;\d+;(?<h_db_name>\w+);(?<user_computer_ip>\d{1,3}(?:\.\d{1,3}){3})?;(?<user_computer_name>[^;]*)?;[-\d]+;[-\d]+;(?<audit_policy_name>[^;]+);(?<audit_policy_severity>\w+);(?<user_activity>[^;]+);(SUCCESSFUL|UNSUCCESSFUL);(?<activity_details>[^;]+);(?<application_username>[^;]*)?;{5}(?<db_user_id>\w+)?;(?<user_application>[^;]+)?;(?<db_schema>\w+)?;" | rex field=user_activity "(?<user_activity_event>.+?)\;" | fillnull value="null" | search h_db_name IN("srp1", "brp1") audit_policy_severity="CRITICAL" db_user_id=SYSTEM | table _time, env, host, h_db_host, h_instance_name, h_db_name, user_computer_ip user_computer_name audit_policy_name audit_policy_severity user_activity_event

Any help will be appreciated.

Re: Rex has exceeded configured match_limit, consider raising the value in limits.conf.

sainag_splunk — Mon, 18 Nov 2024 21:30:22 GMT

@majilan1 the rex timeout typically happens with complex events/data, or lot of wild cards in your regex. Refer: https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Limitsconf#.5Brex.5D

Try using that with max_match option.

| rex max_match=0

If this Helps, Please Upvote

Re: Rex has exceeded configured match_limit, consider raising the value in limits.conf.

yuanliu — Mon, 18 Nov 2024 22:47:28 GMT

As @sainag_splunk says, use of unlimited wildcards (+, *) are usually the cause. For others to help, you will need to post sample data that trigger these errors. Usually the remedy is to analyze your data boundaries and find more restrictive regex.

Re: Rex has exceeded configured match_limit, consider raising the value in limits.conf.

ITWhisperer — Mon, 18 Nov 2024 22:48:50 GMT

You could try using split to break up the field

| eval fields=split(_raw, ";") | eval h_db_host=mvindex(fields,1) etc.

Re: Rex has exceeded configured match_limit, consider raising the value in limits.conf.

inventsekar — Tue, 19 Nov 2024 00:08:06 GMT

Hi @majilan1
1) may i know if you understood the searchtime vs indextime

2) Indextime - while indexing the data itself you can "catch" the required fields (this is called as index time) .

3) searchtime - if you didnt configure "indextime", then sometimes the fields may not be indexed(not catch'ed / caught when data onboarding). then we need to write the rex to catch the fields at search time. this is acceptable, but it if we use tooo many rex, splunk will struggle.
4) searchtime is always preferred over indextime - (this is a debatable topic), but as far as i remember, the splunk docs suggest us to use the search time instead of indextime.

5) situation like yours... complex list of field extractions... can be prepared and planned thru indextime. so splunk will not ask you its own limitations 😉

thanks and best regards.

(PS - my karma stats - given 2000 and received 500. thanks for reading )