Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Problem with optimization of the regex: limits.conf

spisiakmi
Communicator
‎10-05-2019 04:03 AM

Hi I have a problem with the error message of the Splunk: Error in 'rex' command: regex="(?ms)]+^\s\" has exceeded configured match_limit, consider raising the value in limits.conf
The problem is, that the regex regex="(?ms)\<test[^\>]+[^\s](?P<tmp>.*?)\</test\>"for + xml file generates 8099 steps.
I tested it on this xml file:

<?xml version="1.0" encoding="UTF-8" ?>
<unitData  endtime="2019-09-30T05:39:08+02:00"  equipment="eq1"  equipmentClass="eqc1"  locale="german"  operator="ADMINISTRATOR"  senderID="sender1"  starttime="2019-09-30T05:38:09+02:00"  state="nok"  unit="74375513159930675"  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  xsi:noNamespaceSchemaLocation="unitData-1.1.xsd">
   <subUnitData  position="1"  positionType="Panel Nr."  state="ok"  subUnit="74375513159930675">
      <test  description="A10-007 7437551"  name="CU102_BAY2_QR"  testResultCode="passed">
         <subTest  name="Verbindung zum Pr³fling aufbauen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Initialisierung"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Fehlerflag lesen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="ID lesen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Sachnummer lesen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Trigger setzen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="ADC Abschalten"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
      </test>
   </subUnitData>
   <subUnitData  position="2"  positionType="Panel Nr."  state="ok"  subUnit="74375513159930676">
      <test  description="A10-007 7437551"  name="CU102_BAY2_QR"  testResultCode="passed">
         <subTest  name="Verbindung zum Pr³fling aufbauen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Initialisierung"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Fehlerflag lesen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="ID lesen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Sachnummer lesen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Trigger setzen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="ADC Abschalten"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
      </test>
   </subUnitData>
   <subUnitData  position="3"  positionType="Panel Nr."  state="ok"  subUnit="74375513159930678">
      <test  description="A10-007 7437551"  name="CU102_BAY2_QR"  testResultCode="passed">
         <subTest  name="Verbindung zum Pr³fling aufbauen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Initialisierung"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Fehlerflag lesen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="ID lesen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Sachnummer lesen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="Trigger setzen"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
         <subTest  name="ADC Abschalten"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
      </test>
   </subUnitData>
   <subUnitData  position="4"  positionType="Panel Nr."  state="nok"  subUnit="74375513159930677">
      <test  description="A10-007 7437551"  name="CU102_BAY2_QR"  testResultCode="failed">
         <subTest  name="FLOAT"  testPosition="unknown">
            <subPositions>
               <subPosition  name="{27}"/>
            </subPositions>
            <subTestResult  testResultClass="fail"  testResultCode="failed"/>
         </subTest>
         <subTest  name="Components not tested"  testPosition="unknown">
            <subTestResult  testResultClass="pass"  testResultCode="passed"/>
         </subTest>
      </test>
   </subUnitData>
</unitData>

Can you help me, please, to optimize the regex? I want to extract the test tag.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ololdach
Builder
‎10-05-2019 10:13 AM

Hi, take a look at spath. It might be the better solution to extract the fields: https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Spath

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ololdach
Builder
‎10-05-2019 10:13 AM

Hi, take a look at spath. It might be the better solution to extract the fields: https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Spath

0 Karma
Reply
Solved! Jump to solution

spisiakmi
Communicator
‎10-06-2019 11:47 PM

Hi ololdach,

Thank you for your message.
I used the spath, but I lost the data relation. E.g. In CSV file there is a relation data model guarantied by the first row (header). How would I select here all test name where testResultCode is failed? Using spath of course. And than using the spath the subTest names, which are failed, depending on testname?

0 Karma
Reply
Solved! Jump to solution

spisiakmi
Communicator
‎10-11-2019 05:50 AM

Hi ololdach,

I used the spath and it worked. I had only problem with mvexpand, because of the error message: command.mvexpand: output will be truncated at 300 results due to excessive memory usage. Memory threshold of 500MB as configured in limits.conf / [mvexpand] / max_mem_usage_mb has been reached.
I solved it, with the command: |fields - _*
But thank you anyway.

0 Karma
Reply
Solved! Jump to solution

ololdach
Builder
‎10-11-2019 06:06 AM

hi spisiakmi, glad I could help!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-05-2019 04:41 AM

Hi spisiakmi,
try this regex

(?ms)\<test\s(?P<tmp>.*?)\<\/test\>

that you can test at https://regex101.com/r/HHTNrR/1

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

spisiakmi
Communicator
‎10-05-2019 05:41 AM

Hi Giuseppe,

thank you, but your regex generates more steps, than mine. Mine has 8099, but your 8871. Sorry.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...