Splunk Search

ERROR Regex - Failed in pcre_exec: Error PCRE_ERROR_MATCHLIMIT for regex: \|.*?summarize.*?action\=

sathwikr076
Communicator

Hello,

I am getting this error in search head don't know why. Anybody had same issue please let me know.

Thansk.

Tags (2)

robert_miller
Path Finder

I just heard from support about this issue, and its a known bug (internal bug SPL-160983) that they have decided to not fix. There is no impact to the system and there isn't a way to stop the error from triggering. Support said to ignore these errors going forward.

season88481
Contributor

We have the same thing here. The regex itself seems working fine. It seems just another annoying error which could be safely ignore.

I think the resolution is to write a less greedy regex.

tommoore
Path Finder

How do we fix this in the jobs page?

/en-US/app/SplunkEnterpriseSecuritySuite/job_manager

0 Karma

FrankVl
Ultra Champion

When / Where are you getting that error? If you're not actually doing a regex yourself, this is either a bug in splunk, or in some field extraction config or so in an add-on you have installed (although I'm not sure if that would result in errors presented in the GUI)?

0 Karma

robert_miller
Path Finder

Did you ever figure this out? We are seeing the exact same error message in our splunkd log.

0 Karma

bcyates
Communicator

Are you using this regex on the search bar with the rex command? If so, you have to use max_match.

The default for max_match is 1. Your regex is matching more than one value in an event.

Set max_match=0 for unlimited matches.

0 Karma

FrankVl
Ultra Champion

max_match is not really related to that error and will not solve it. If you get such an error when running regexes, it means your regex is poorly written and has too many matches (usually because of using stuff like .* and .*?, which cause the regex to match the string in many ways and require a lot of backtracking in the regex engine.
The solution is to write a better regex.

0 Karma

sathwikr076
Communicator

Thanks for your reply. I think i have one regex which is matching many fields because of logs having different log pattern.

0 Karma

sathwikr076
Communicator

Hi,

Thanks for the reply but i am not using any regex which has that field. I checked everything on the search head.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Can you please provide some sample data (Mask sensitive data) and regex ?

0 Karma

C_HIEN
Path Finder

Same error here.
I can reproduce this error each time i refresh the job manager page
Splunk 7.2.5

0 Karma

robert_miller
Path Finder

Same error for us and we are running 7.2.4. Maybe this is an issue with 7.2.x.

0 Karma

FrankVl
Ultra Champion

When and where are you getting that error?

0 Karma

robert_miller
Path Finder

I see this error on our SH running Enterprise Security.

0 Karma

FrankVl
Ultra Champion

But where and when specifically? On which page / after doing what kind of action (e.g. is it with running a specific search, or upon visiting a certain page / dashboard /...).

0 Karma

robert_miller
Path Finder

It does appear to be when I go to the job_manager. Looks like @tommoore and I have the same issue.

0 Karma

FrankVl
Ultra Champion

Sounds like a bug then, which is probably best raised with Splunk Support.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...