Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Who is sending to my heavy forwarder?

w199284
Explorer
‎07-19-2019 09:37 AM

I'm getting a lot of parsing errors on my heavy forwarders ...Failed in pcre_exec: Error PCRE_ERROR_MATCHLIMIT... but I don't know how to tell where the event is coming from (what host) that is getting the error. My HWFs are very busy and have many source devices sending events. If I knew how to associate this error with an incoming event, I think I could figure this out. Tcpdump might work but the environment is too noisy to make sense of the data. Has anyone had any experience tracking down a host?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-20-2019 05:20 AM

Review the transforms.conf files on the HF for regular expressions that use wildcards. One of the expressions is matching more than the HF can handle.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Vijeta
Influencer
‎07-19-2019 11:45 AM

@w199284 Did you check in _internal index ,make sure your role has access to internal index. The host field should give you the information.

index=_internal sourcetype=splunkd  PCRE_ERROR_MATCHLIMIT*
0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...