Getting Data In

what is the cause of ERROR Regex - Failed in pcre_exec: Error PCRE_ERROR_MATCHLIMIT for regex

FritzWittwer_ol
Contributor

I get this error messages for rather simple regexep

10-11-2018 07:48:27.818 +0200 ERROR Regex - Failed in pcre_exec: Error PCRE_ERROR_MATCHLIMIT for regex: (\S+\s+\S+\s+\S+)\s+(?\S+).\ss=(?\S+)\s.+\sx=(?\S+)\s+mod=(?\S+)\s+(?cmd=(env_from|data|msg).)
10-11-2018 07:48:27.818 +0200 ERROR regexExtractionProcessor - Regex for stanza SDCS-liveclone-firmenich-ls_reformat01 exceeded configured PCRE match limit. Consider raising the MATCH_LIMIT for the regex in props.conf

The transforms which contains this regexp is

[SDCS-liveclone-xxxxxxxx-ls_reformat01]
SOURCE_KEY = _raw
(env_from|data|msg).*)
REGEX = (\S+\s+\S+\s+\S+)\s+(?<host>\S+).*\ss=(\S+)\s.+\sx=(?\S+)\s+mod=(\S+)\s+(cmd=(env_from|data|msg).*)
DEST_KEY=_raw
FORMAT=$1 transaction_id=$2_$4 server=$2 session_id1=$3 session_id2=$4 mod=$5 $6

The match limit is 10'000 and the regexp is rather simple so i don't see a reason for this error.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...