Splunk Search

ERROR Regex - Failed in pcre_exec: Error PCRE_ERROR_MATCHLIMIT for regex: \|.*?summarize.*?action\=

Communicator

Hello,

I am getting this error in search head don't know why. Anybody had same issue please let me know.

Thansk.

Tags (2)

Path Finder

I just heard from support about this issue, and its a known bug (internal bug SPL-160983) that they have decided to not fix. There is no impact to the system and there isn't a way to stop the error from triggering. Support said to ignore these errors going forward.

Communicator

We have the same thing here. The regex itself seems working fine. It seems just another annoying error which could be safely ignore.

I think the resolution is to write a less greedy regex.

Path Finder

How do we fix this in the jobs page?

/en-US/app/SplunkEnterpriseSecuritySuite/job_manager

0 Karma

Ultra Champion

When / Where are you getting that error? If you're not actually doing a regex yourself, this is either a bug in splunk, or in some field extraction config or so in an add-on you have installed (although I'm not sure if that would result in errors presented in the GUI)?

0 Karma

Path Finder

Did you ever figure this out? We are seeing the exact same error message in our splunkd log.

0 Karma

Communicator

Are you using this regex on the search bar with the rex command? If so, you have to use max_match.

The default for max_match is 1. Your regex is matching more than one value in an event.

Set max_match=0 for unlimited matches.

0 Karma

Ultra Champion

max_match is not really related to that error and will not solve it. If you get such an error when running regexes, it means your regex is poorly written and has too many matches (usually because of using stuff like .* and .*?, which cause the regex to match the string in many ways and require a lot of backtracking in the regex engine.
The solution is to write a better regex.

0 Karma

Communicator

Thanks for your reply. I think i have one regex which is matching many fields because of logs having different log pattern.

0 Karma

Communicator

Hi,

Thanks for the reply but i am not using any regex which has that field. I checked everything on the search head.

0 Karma

SplunkTrust
SplunkTrust

Hi,

Can you please provide some sample data (Mask sensitive data) and regex ?

0 Karma

Path Finder

Same error here.
I can reproduce this error each time i refresh the job manager page
Splunk 7.2.5

0 Karma

Path Finder

Same error for us and we are running 7.2.4. Maybe this is an issue with 7.2.x.

0 Karma

Ultra Champion

When and where are you getting that error?

0 Karma

Path Finder

I see this error on our SH running Enterprise Security.

0 Karma

Ultra Champion

But where and when specifically? On which page / after doing what kind of action (e.g. is it with running a specific search, or upon visiting a certain page / dashboard /...).

0 Karma

Path Finder

It does appear to be when I go to the job_manager. Looks like @tommoore and I have the same issue.

0 Karma

Ultra Champion

Sounds like a bug then, which is probably best raised with Splunk Support.

0 Karma