Splunk Search

How to optimize rex to avoid the error message: Error in 'rex' command: regex= has exceeded configured match_limit, consider raising the value in limits.conf

spisiakmi
Communicator

Hi. Can you help me, please, to optimize the regular expression. The problem is, when I search in longer time, I receive the error message: Error in 'rex' command: regex= has exceeded configured match_limit, consider raising the value in limits.conf
I do not want to adjust the limits.conf, I want to write proper regex.
The search code has been uploaded as image search.jpgalt text

The example of the xml log file has been uploaded as an image regex_prob.jpg.

I want to read the whole section which belongs to the "test".

Tags (2)
0 Karma
1 Solution

spisiakmi
Communicator

So I removed ? from the rex. And the steps have been reduced to 70. And the Splunk ist OK with it. No error message.
| rex "(?ms)\"<"test\s+[^>]+^\s\"<"/test>" max_match=999

View solution in original post

0 Karma

spisiakmi
Communicator

So I removed ? from the rex. And the steps have been reduced to 70. And the Splunk ist OK with it. No error message.
| rex "(?ms)\"<"test\s+[^>]+^\s\"<"/test>" max_match=999

0 Karma

spisiakmi
Communicator

I also reduced the set of events: index=ind fail

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Is it possible you to provide sample data in text instead of image (Please mask any sensitive data) ?

0 Karma

spisiakmi
Communicator

I removed ?. The previous rex has 2568 steps. The new one has only 70 steps. But the error message still appears.
| rex "(?ms)<test\s+[^>]+^\s</test>"

0 Karma

spisiakmi
Communicator

Hi harsmarvania57, I try to paste the xml data here, but I'm affraid, that special chars will be removed:

  <subTest  name="subTest_name"  testPosition="unknown">
     <subPositions>
        <subPosition  name="{60}"/>
        <subPosition  name="{59}"/>
     </subPositions>
     <subTestResult  testResultClass="fail"  testResultCode="failed">
        <channel  UnitOfMeasure="V"  measureDataType="metricPrefix"  name="channel_1">
           <sample  value="17.4375m"/>
           <limit_hh  value="100m"/>
           <limit_h  value="100m"/>
           <limit_l  value="-100m"/>
           <limit_ll  value="-100m"/>
        </channel>
     </subTestResult>
  </subTest>
  <subTest  name="subTest_name"  testPosition="unknown">
     <subPositions>
        <subPosition  name="{104}"/>
        <subPosition  name="{47}"/>
     </subPositions>
     <subTestResult  testResultClass="fail"  testResultCode="failed">
        <channel  UnitOfMeasure="V"  measureDataType="decimal"  name="channel_2">
           <sample  value="1.89062"/>
           <limit_hh  value="100"/>
           <limit_h  value="100"/>
           <limit_l  value="-100"/>
           <limit_ll  value="-100"/>
        </channel>
     </subTestResult>
  </subTest>
0 Karma

spisiakmi
Communicator

As I thought, the non complete xml code has been pasted. Please, compare it with the uploaded regex-prob.jpg file.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

If you paste your sample data with Code Sample (button 101010) then you will able to paste special character as well.

0 Karma

spisiakmi
Communicator

Unfortunatelly it is impossible to submit the code. Nothing happened, although I pasted the code through 101010 and tried to submit it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...