Solved: Regex error, exceeded configured match_limit

prsepulv · ‎08-30-2019

Hi Splunkers,

I'm running Splunk 7.0.1 and having some problems to parse variables using regex in a search.

This is my data, in one line only:

Aug 30 19:40:41 10.181.132.181 1 2019-08-30T19:40:30.729124-04:00 bones NETWORK_STATE FACILITIES LINKS - - - "All Power 1":1,"All Power 2":0,"Five Stars 1":1,"Five Stars 2":1,"Five Stars 3":1,"Five Stars 4":1,"Five Stars 5":1,"Five Stars 6":1,"Five Stars 7":1,"Five Stars Power":0,"Telefive Shark 1":1,"Telefive Shark 2":1,"Infinity 1":1,"Infinity 2":1,"Infinity 3":1,"OutSourcing":1,"Unitel":1,"Longside":1,"Tele Power":1,"Digilast 1":1,"Digilast 2":1

I'm trying to extract some fileds, like:

Option1: FACILITIES
Option2: LINKS
NN1: "All Power 1"
Link_State1: 1
.
.
.
NN21: "Digilast 2"
Link_State21: 1

The regular expresion that I'm trying to use is:

NETWORK_STATE (?<Option1>\w+) (?<Option2>\w+)  - - - 
(?<NN1>.*):(?<Link_State1>.)(?<NN2>.*):(?<Link_State2>.)(?<NN3>.*):(?<Link_State3>.)(?<NN4>.*):(?Link_State4>.)
(?<NN5>.*):(?<Link_State5>.)(?<NN6>.*):(?<Link_State6>.)(?<NN7>.*):(?<Link_State7>.)(?<NN8>.*):(?<Link_State8>.)
(?<NN9>.*):(?<Link_State9>.)(?<NN10>.*):(?<Link_State10>..)(?<NN11>.*):(?<Link_State11>..)(?<NN12>.*):(?<Link_State12>..)
(?<NN13>.*):(?<Link_State13>..)(?<NN14>.*):(?<Link_State14>..)(?<NN15>.*):(?<Link_State15>..)(?<NN16>.*):(?<Link_State16>..)
(?<NN17>.*):(?<Link_State17>..)(?<NN18>.*):(?<Link_State18>..)(?<NN19>.*):(?<Link_State19>..)(?<NN20>.*):(?<Link_State20>..)
(?<NN21>.*):(?<Link_State21>..)

But I've got the following error:

Error in 'rex' command: regex="NETWORK_STATE (?<Option1>\w+) (?<Option2>\w+) - - - (?<NN1>.*),(?<NN10>.*):(?<Link_State10>.), 
(?<NN11>.*):(?<Link_State11>.),(?<NN12>.*):(?<Link_State12>.),(?<NN13>.*):(?<Link_State13>.),(?<NN14>.*):(?<Link_State14>.),(? 
<NN15>.*):(?<Link_State15>.),(?<NN16>.*):(?<Link_State16>.),(?<NN17>.*):(?<Link_State17>.),(?<NN18>.*):(?<Link_State18>.),(? 
<NN19>.*):(?<Link_State19>.),(?<NN20>.*):(?<Link_State20>.),(?<NN21>.*):(?<Link_State21>.)" has exceeded configured match_limit, 
consider raising the value in limits.conf

Looking for the error, I've learnt that there is better ways to achieve my goal. Please, could yo enlight me?

Regards

Pedro

Sukisen1981 · ‎08-31-2019

any reason why you are performing a greedy rex
consider changing to this

 rex field=_raw  "NETWORK_STATE (?<Option1>\w+)(?<Option2>.*?)\- - -+\s+\"(?<NN1>.*?)\""


Basically , try replacing the MN fields .* with .*?

There are other fantastic answers here -
https://answers.splunk.com/answers/35098/rex-matching-everything-until-a-tab.html
AND
https://answers.splunk.com/answers/727560/rex-has-exceeded-configured-match-limit.html
AND
https://answers.splunk.com/answers/581183/is-my-rex-right-rex-has-exceeded-configured-match.html

Just to cite a few

View solution in original post

Sukisen1981 · ‎08-31-2019

any reason why you are performing a greedy rex
consider changing to this

 rex field=_raw  "NETWORK_STATE (?<Option1>\w+)(?<Option2>.*?)\- - -+\s+\"(?<NN1>.*?)\""


Basically , try replacing the MN fields .* with .*?

There are other fantastic answers here -
https://answers.splunk.com/answers/35098/rex-matching-everything-until-a-tab.html
AND
https://answers.splunk.com/answers/727560/rex-has-exceeded-configured-match-limit.html
AND
https://answers.splunk.com/answers/581183/is-my-rex-right-rex-has-exceeded-configured-match.html

Just to cite a few

prsepulv · ‎08-31-2019

It works like a charm.

Thank you very much...!!!

Regex error, exceeded configured match_limit

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

Detect and Resolve Issues in a Kubernetes Environment