Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Who is sending to my heavy forwarder?

w199284
Explorer
‎07-19-2019 09:37 AM

I'm getting a lot of parsing errors on my heavy forwarders ...Failed in pcre_exec: Error PCRE_ERROR_MATCHLIMIT... but I don't know how to tell where the event is coming from (what host) that is getting the error. My HWFs are very busy and have many source devices sending events. If I knew how to associate this error with an incoming event, I think I could figure this out. Tcpdump might work but the environment is too noisy to make sense of the data. Has anyone had any experience tracking down a host?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-20-2019 05:20 AM

Review the transforms.conf files on the HF for regular expressions that use wildcards. One of the expressions is matching more than the HF can handle.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Vijeta
Influencer
‎07-19-2019 11:45 AM

@w199284 Did you check in _internal index ,make sure your role has access to internal index. The host field should give you the information.

index=_internal sourcetype=splunkd  PCRE_ERROR_MATCHLIMIT*
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...