what is the cause of ERROR Regex - Failed in pcre_...

Getting Data In

I get this error messages for rather simple regexep

10-11-2018 07:48:27.818 +0200 ERROR Regex - Failed in pcre_exec: Error PCRE_ERROR_MATCHLIMIT for regex: (\S+\s+\S+\s+\S+)\s+(?\S+).\ss=(?\S+)\s.+\sx=(?\S+)\s+mod=(?\S+)\s+(?cmd=(env_from|data|msg).)
10-11-2018 07:48:27.818 +0200 ERROR regexExtractionProcessor - Regex for stanza SDCS-liveclone-firmenich-ls_reformat01 exceeded configured PCRE match limit. Consider raising the MATCH_LIMIT for the regex in props.conf

The transforms which contains this regexp is

[SDCS-liveclone-xxxxxxxx-ls_reformat01]
SOURCE_KEY = _raw
(env_from|data|msg).*)
REGEX = (\S+\s+\S+\s+\S+)\s+(?<host>\S+).*\ss=(\S+)\s.+\sx=(?\S+)\s+mod=(\S+)\s+(cmd=(env_from|data|msg).*)
DEST_KEY=_raw
FORMAT=$1 transaction_id=$2_$4 server=$2 session_id1=$3 session_id2=$4 mod=$5 $6

The match limit is 10'000 and the regexp is rather simple so i don't see a reason for this error.

Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...

Are you a member of the Splunk Community?