Solved: Optimize Regex

secphilomath1 · ‎02-29-2024

I am getting an error when using the following regex

(?<=on\s)(.*)(?=\sby Firewall Settings)

The error is "Error in 'rex' command: regex="(?<=on\s)(.*)(?<HostName>.*)(?=\sby Firewall Settings)" has exceeded configured match_limit, consider raising the value in limits.conf."

Is there a better way to do this, I am trying to find all text between "on " and " by Firewall Settings. It works in regex101.com, but I get that error in Splunk.

TIA!

richgalloway · ‎02-29-2024

It would help to have a sample (sanitized) event to work with.

Avoid lookbehind and lookahead in Splunk. They're costly and rarely necessary. Try

on\s(?<HostName>\S*)\sby Firewall Settings

---
If this reply helps you, Karma would be appreciated.

View solution in original post

secphilomath1 · ‎03-01-2024

Good to know, thanks, works perfectly.

richgalloway · ‎02-29-2024

It would help to have a sample (sanitized) event to work with.

Avoid lookbehind and lookahead in Splunk. They're costly and rarely necessary. Try

on\s(?<HostName>\S*)\sby Firewall Settings

---
If this reply helps you, Karma would be appreciated.

Optimize Regex

regex

rex

Enterprise Security Content Update (ESCU) | New Releases

Join the Splunk Developer Program Hackathon: Splunk Build-a-thon!

Announcing the Expansion of the Splunk Academic Alliance Program