Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

configured match_limit, consider raising the value in limits.conf

amanthri
Engager
‎09-09-2025 01:22 PM

Splunk ITSI is not able create the service now tickets whenever we have seen longer comments in the work notes section . 
We haven't made any changes recently but the below error is popping up .Any clue why is this happening ?


Seeing this Streamed search execute failed because: Error in 'rex' command: regex="(?s).*dv_comments="(?<comments>.*)$" has exceeded configured match_limit, consider raising the value in limits.conf.

Here's the regex expression :

rex field=_raw "(?s).*dv_comments=\"(?<comments>.*)$"
rex field=comments "(?s)(?<comment_time>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\s-\s(?<comment_user>.*?)\s\(Additional comments\)\n\sResolution notes\s=\s(?<resolution_notes>.*?)(?=\d{4}-\d{2}-\d{2}|\n\"|$).*"

what is the default value to set in limits.conf?
what happens if we set it to default values in itsi event correlation  and alternative suggestions ?

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎09-09-2025 01:32 PM

Hi @amanthri 

Your first regex is greedy .* at the start matches the entire event, causing backtracking on long inputs. Make it non-greedy or anchor better using something like the following:

rex field=_raw "dv_comments=\"(?<comments>[^\"]*)"

The default value is 10000. Check out https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/9.4/configuration-file-refere

nce/9.4.3-configuration-file-reference/limits.conf

[rex]
match_limit = <integer>
* Limits the amount of resources that are spent by PCRE
when running patterns that will not match.
* Use this to set an upper bound on how many times PCRE calls an internal
function, match(). If set too low, PCRE might fail to correctly match
a pattern.
* Default: 100000

 

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...