Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Problem with optimization of the regex: limits.conf

spisiakmi
Contributor
‎10-05-2019 04:03 AM

Hi I have a problem with the error message of the Splunk: Error in 'rex' command: regex="(?ms)]+^\s\" has exceeded configured match_limit, consider raising the value in limits.conf
The problem is, that the regex regex="(?ms)\<test[^\>]+[^\s](?P<tmp>.*?)\</test\>"for + xml file generates 8099 steps.
I tested it on this xml file:

<?xml version="1.0" encoding="UTF-8" ?>
<unitData  endtime="2019-09-30T05:39:08+02:00"  equipment="eq1"  equipmentClass="eqc1"  locale="german"  operator="ADMINISTRATOR"  senderID="sender1"  starttime="2019-09-30T05:38:09+02:00"  state="nok"  unit="74375513159930675"  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  xsi:noNamespaceSchemaLocation="unitData-1.1.xsd">
   <subUnitData  position="1"  positionType="Panel Nr."  state="ok"  subUnit="74375513159930675">
      <test  description="A10-007 7437551"  name="CU102_BAY2_QR"  testResultCode="passed">
         <subTest  name="Verbindung zum Pr³fling aufbauen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Initialisierung"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Fehlerflag lesen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="ID lesen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Sachnummer lesen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Trigger setzen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="ADC Abschalten"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
      </test>
   </subUnitData>
   <subUnitData  position="2"  positionType="Panel Nr."  state="ok"  subUnit="74375513159930676">
      <test  description="A10-007 7437551"  name="CU102_BAY2_QR"  testResultCode="passed">
         <subTest  name="Verbindung zum Pr³fling aufbauen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Initialisierung"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Fehlerflag lesen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="ID lesen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Sachnummer lesen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Trigger setzen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="ADC Abschalten"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
      </test>
   </subUnitData>
   <subUnitData  position="3"  positionType="Panel Nr."  state="ok"  subUnit="74375513159930678">
      <test  description="A10-007 7437551"  name="CU102_BAY2_QR"  testResultCode="passed">
         <subTest  name="Verbindung zum Pr³fling aufbauen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Initialisierung"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Fehlerflag lesen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="ID lesen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Sachnummer lesen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Trigger setzen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="ADC Abschalten"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
      </test>
   </subUnitData>
   <subUnitData  position="4"  positionType="Panel Nr."  state="nok"  subUnit="74375513159930677">
      <test  description="A10-007 7437551"  name="CU102_BAY2_QR"  testResultCode="failed">
         <subTest  name="FLOAT"  testPosition="unknown">
            <subPositions>
               <subPosition  name="{27}"/>
            </subPositions>
            <subTestResult  testResultClass="fail"  testResultCode="failed"/>
         </subTest>
         <subTest  name="Components not tested"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
      </test>
   </subUnitData>
</unitData>

Can you help me, please, to optimize the regex? I want to extract the test tag.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ololdach
Builder
‎10-05-2019 10:13 AM

Hi, take a look at spath. It might be the better solution to extract the fields: https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Spath

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ololdach
Builder
‎10-05-2019 10:13 AM

Hi, take a look at spath. It might be the better solution to extract the fields: https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Spath

0 Karma
Reply
Solved! Jump to solution

spisiakmi
Contributor
‎10-06-2019 11:47 PM

Hi ololdach,

Thank you for your message.
I used the spath, but I lost the data relation. E.g. In CSV file there is a relation data model guarantied by the first row (header). How would I select here all test name where testResultCode is failed? Using spath of course. And than using the spath the subTest names, which are failed, depending on testname?

0 Karma
Reply
Solved! Jump to solution

spisiakmi
Contributor
‎10-11-2019 05:50 AM

Hi ololdach,

I used the spath and it worked. I had only problem with mvexpand, because of the error message: command.mvexpand: output will be truncated at 300 results due to excessive memory usage. Memory threshold of 500MB as configured in limits.conf / [mvexpand] / max_mem_usage_mb has been reached.
I solved it, with the command: |fields - _*
But thank you anyway.

0 Karma
Reply
Solved! Jump to solution

ololdach
Builder
‎10-11-2019 06:06 AM

hi spisiakmi, glad I could help!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-05-2019 04:41 AM

Hi spisiakmi,
try this regex

(?ms)\<test\s(?P<tmp>.*?)\<\/test\>

that you can test at https://regex101.com/r/HHTNrR/1

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

spisiakmi
Contributor
‎10-05-2019 05:41 AM

Hi Giuseppe,

thank you, but your regex generates more steps, than mine. Mine has 8099, but your 8871. Sorry.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...