Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Rex has exceeded configured match_limit, consider raising the value in limits.conf.

majilan1
Path Finder
‎11-18-2024 12:54 PM

Hi Splunkers, any help with Rex has exceeded configured match_limit, consider raising the value in limits.conf.

My search looks like this:

| index=abc index=def process=jkl 
| rex field=_raw ";(?<h_db_host>\w+);(?<h_instance_name>\w+);\d+;\d+;(?<h_db_name>\w+);(?<user_computer_ip>\d{1,3}(?:\.\d{1,3}){3})?;(?<user_computer_name>[^;]*)?;[-\d]+;[-\d]+;(?<audit_policy_name>[^;]+);(?<audit_policy_severity>\w+);(?<user_activity>[^;]+);(SUCCESSFUL|UNSUCCESSFUL);(?<activity_details>[^;]+);(?<application_username>[^;]*)?;{5}(?<db_user_id>\w+)?;(?<user_application>[^;]+)?;(?<db_schema>\w+)?;" 
| rex field=user_activity "(?<user_activity_event>.+?)\;"
| fillnull value="null"
| search h_db_name IN("srp1", "brp1") audit_policy_severity="CRITICAL" db_user_id=SYSTEM
| table _time, env, host, h_db_host, h_instance_name, h_db_name, user_computer_ip user_computer_name audit_policy_name audit_policy_severity user_activity_event

Any help will be appreciated.

Labels (2)
Labels
Reply

inventsekar
SplunkTrust
SplunkTrust
‎11-18-2024 04:08 PM

Hi @majilan1 
1) may i know if you understood the searchtime vs indextime

2) Indextime  - while indexing the data itself you can "catch" the required fields (this is called as index time) .

3) searchtime - if you didnt configure "indextime", then sometimes the fields may not be indexed(not catch'ed / caught when data onboarding). then we need to write the rex to catch the fields at search time. this is acceptable, but it if we use tooo many rex, splunk will struggle. 
4) searchtime is always preferred over indextime - (this is a debatable topic), but as far as i remember, the splunk docs suggest us to use the search time instead of indextime. 

5) situation like yours... complex list of field extractions... can be prepared and planned thru indextime. so splunk will not ask you its own limitations 😉

 

thanks and best regards.

(PS - my karma stats - given 2000 and received 500. thanks for reading )

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-18-2024 02:48 PM

You could try using split to break up the field

| eval fields=split(_raw, ";")
| eval h_db_host=mvindex(fields,1)
etc.
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-18-2024 02:47 PM

As @sainag_splunk says, use of unlimited wildcards (+, *) are usually the cause.  For others to help, you will need to post sample data that trigger these errors.  Usually the remedy is to analyze your data boundaries and find more restrictive regex. 

Reply

sainag_splunk
Splunk Employee
Splunk Employee
‎11-18-2024 01:30 PM

@majilan1 the rex timeout typically  happens with complex events/data, or lot of wild cards in your regex. Refer: https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Limitsconf#.5Brex.5D

Try using that with  max_match option.

| rex max_match=0






If this Helps, Please Upvote

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...