Solved: Optimize Regex

secphilomath1 · ‎02-29-2024

I am getting an error when using the following regex

(?<=on\s)(.*)(?=\sby Firewall Settings)

The error is "Error in 'rex' command: regex="(?<=on\s)(.*)(?<HostName>.*)(?=\sby Firewall Settings)" has exceeded configured match_limit, consider raising the value in limits.conf."

Is there a better way to do this, I am trying to find all text between "on " and " by Firewall Settings. It works in regex101.com, but I get that error in Splunk.

TIA!

richgalloway · ‎02-29-2024

It would help to have a sample (sanitized) event to work with.

Avoid lookbehind and lookahead in Splunk. They're costly and rarely necessary. Try

on\s(?<HostName>\S*)\sby Firewall Settings

---
If this reply helps you, Karma would be appreciated.

View solution in original post

secphilomath1 · ‎03-01-2024

Good to know, thanks, works perfectly.

richgalloway · ‎02-29-2024

It would help to have a sample (sanitized) event to work with.

Avoid lookbehind and lookahead in Splunk. They're costly and rarely necessary. Try

on\s(?<HostName>\S*)\sby Firewall Settings

---
If this reply helps you, Karma would be appreciated.

Optimize Regex

regex

rex

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!