I'm getting a lot of parsing errors on my heavy forwarders ...Failed in pcre_exec: Error PCRE_ERROR_MATCHLIMIT... but I don't know how to tell where the event is coming from (what host) that is getting the error. My HWFs are very busy and have many source devices sending events. If I knew how to associate this error with an incoming event, I think I could figure this out. Tcpdump might work but the environment is too noisy to make sense of the data. Has anyone had any experience tracking down a host?
Review the transforms.conf files on the HF for regular expressions that use wildcards. One of the expressions is matching more than the HF can handle.
@w199284 Did you check in _internal index ,make sure your role has access to internal index. The host field should give you the information.
index=_internal sourcetype=splunkd PCRE_ERROR_MATCHLIMIT*