Solved: Optimize Regex

secphilomath1 · ‎02-29-2024

I am getting an error when using the following regex

(?<=on\s)(.*)(?=\sby Firewall Settings)

The error is "Error in 'rex' command: regex="(?<=on\s)(.*)(?<HostName>.*)(?=\sby Firewall Settings)" has exceeded configured match_limit, consider raising the value in limits.conf."

Is there a better way to do this, I am trying to find all text between "on " and " by Firewall Settings. It works in regex101.com, but I get that error in Splunk.

TIA!

richgalloway · ‎02-29-2024

It would help to have a sample (sanitized) event to work with.

Avoid lookbehind and lookahead in Splunk. They're costly and rarely necessary. Try

on\s(?<HostName>\S*)\sby Firewall Settings

---
If this reply helps you, Karma would be appreciated.

View solution in original post

secphilomath1 · ‎03-01-2024

Good to know, thanks, works perfectly.

richgalloway · ‎02-29-2024

It would help to have a sample (sanitized) event to work with.

Avoid lookbehind and lookahead in Splunk. They're costly and rarely necessary. Try

on\s(?<HostName>\S*)\sby Firewall Settings

---
If this reply helps you, Karma would be appreciated.

Optimize Regex

regex

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation