Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

On the limit of delimiter in field extracter

yutaka1005
Builder
‎04-12-2018 11:45 PM

I indexed some logs that have values are separated by commas, and I attempted to extract fields using delimiter, but the following error was output.

regular expression is too large

Does the delimiter extraction have limit values?
I hope someone can tell me.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎04-15-2018 07:19 PM

Try shortening all the field names in the regex

Ex:

 (?<my_long_field_name>regextoextract)

Becomes

 (?<a>regextoextract)

Do that for all your field names, then rename them in search. I believe you’re hitting a validation character limit of 8096.

0 Karma
Reply

yutaka1005
Builder
‎04-15-2018 11:38 PM

Thank youf for answer!

8096 means 8096 bytes?
And is it limit of splunk regex?

0 Karma
Reply

p_gurav
Champion
‎04-13-2018 05:19 AM

Can you give sample data? How many columns you are extracting?
Try extracting with transforms.conf, refer below doc:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Configureadvancedextractionswithfieldtra...

0 Karma
Reply

yutaka1005
Builder
‎04-15-2018 05:26 PM

Thank you for comment.

I'm sorry, I can't give you sample data,but It has over 200 columns.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...