Optimize rex command

clementros · ‎12-18-2019

Hi all,

I want to extract fields form log events.

I have two errors patterns :

* Can not convert FOO from here ==> *
Can't find the FOO segment

What i want is to create a field named grammar_error_reason that contain "Can not convert FOO" or "Can't find the FOO segment"

Here is my rex command :

| rex field=CDREASON "Converted segments:(\s\w{3}+\s-)+\s(?<grammar_error_reason>.+) from here"

This command raise le limits of limits.conf. It take 236 steps.
In the limits.conf file the rex limits are :

[rex]
match_limit = 100000
depth_limit = 1000

Can you help me please.

Kind regards,
Clement

woodcock · ‎12-18-2019

Your problem has nothing to do with limits; your problem is that your RegEx is wrong. Try this:

... | rex field=CDREASON "(?<grammar_error_reason>(?:Can not convert|Can't find the)\s+\w+)\s+(?:from here|segment)"

to4kawa · ‎12-18-2019

| makeresults 
| eval CDREASON=" * Can not convert FOO from here ==> *
 Can't find the FOO segment"
| rex field=CDREASON max_match=100 "(Can not convert|Can't find the) (?<grammar_error_reason>\w+) (from here|segment)"

HI, @clementros
How many lines per event?
If there are more than 100 lines, increase max_match values.

Optimize rex command

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?