Re: ERROR Regex - Failed in pcre_exec: Error PCRE_...

sathwikr076 · ‎03-21-2019

Hello,

I am getting this error in search head don't know why. Anybody had same issue please let me know.

Thansk.

robert_miller · ‎07-01-2019

I just heard from support about this issue, and its a known bug (internal bug SPL-160983) that they have decided to not fix. There is no impact to the system and there isn't a way to stop the error from triggering. Support said to ignore these errors going forward.

season88481 · ‎07-23-2019

We have the same thing here. The regex itself seems working fine. It seems just another annoying error which could be safely ignore.

I think the resolution is to write a less greedy regex.

tommoore · ‎06-10-2019

How do we fix this in the jobs page?

/en-US/app/SplunkEnterpriseSecuritySuite/job_manager

FrankVl · ‎03-29-2019

When / Where are you getting that error? If you're not actually doing a regex yourself, this is either a bug in splunk, or in some field extraction config or so in an add-on you have installed (although I'm not sure if that would result in errors presented in the GUI)?

robert_miller · ‎06-04-2019

Did you ever figure this out? We are seeing the exact same error message in our splunkd log.

bcyates · ‎03-21-2019

Are you using this regex on the search bar with the rex command? If so, you have to use max_match.

The default for max_match is 1. Your regex is matching more than one value in an event.

Set max_match=0 for unlimited matches.

FrankVl · ‎03-29-2019

max_match is not really related to that error and will not solve it. If you get such an error when running regexes, it means your regex is poorly written and has too many matches (usually because of using stuff like .* and .*?, which cause the regex to match the string in many ways and require a lot of backtracking in the regex engine.
The solution is to write a better regex.

sathwikr076 · ‎04-03-2019

Thanks for your reply. I think i have one regex which is matching many fields because of logs having different log pattern.

sathwikr076 · ‎03-21-2019

Hi,

Thanks for the reply but i am not using any regex which has that field. I checked everything on the search head.

harsmarvania57 · ‎03-21-2019

Hi,

Can you please provide some sample data (Mask sensitive data) and regex ?

C_HIEN · ‎03-29-2019

Same error here.
I can reproduce this error each time i refresh the job manager page
Splunk 7.2.5

robert_miller · ‎06-04-2019

Same error for us and we are running 7.2.4. Maybe this is an issue with 7.2.x.

FrankVl · ‎06-05-2019

When and where are you getting that error?

robert_miller · ‎06-05-2019

I see this error on our SH running Enterprise Security.

FrankVl · ‎06-06-2019

But where and when specifically? On which page / after doing what kind of action (e.g. is it with running a specific search, or upon visiting a certain page / dashboard /...).

robert_miller · ‎06-10-2019

It does appear to be when I go to the job_manager. Looks like @tommoore and I have the same issue.

FrankVl · ‎06-11-2019

Sounds like a bug then, which is probably best raised with Splunk Support.

ERROR Regex - Failed in pcre_exec: Error PCRE_ERROR_MATCHLIMIT for regex: \|.?summarize.?action\=

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services

ERROR Regex - Failed in pcre_exec: Error PCRE_ERROR_MATCHLIMIT for regex: \|.*?summarize.*?action\=

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services

ERROR Regex - Failed in pcre_exec: Error PCRE_ERROR_MATCHLIMIT for regex: \|.?summarize.?action\=