Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Rex has exceeded configured match_limit, consider raising the value in limits.conf.

majilan1
Path Finder
‎11-18-2024 12:54 PM

Hi Splunkers, any help with Rex has exceeded configured match_limit, consider raising the value in limits.conf.

My search looks like this:

| index=abc index=def process=jkl 
| rex field=_raw ";(?<h_db_host>\w+);(?<h_instance_name>\w+);\d+;\d+;(?<h_db_name>\w+);(?<user_computer_ip>\d{1,3}(?:\.\d{1,3}){3})?;(?<user_computer_name>[^;]*)?;[-\d]+;[-\d]+;(?<audit_policy_name>[^;]+);(?<audit_policy_severity>\w+);(?<user_activity>[^;]+);(SUCCESSFUL|UNSUCCESSFUL);(?<activity_details>[^;]+);(?<application_username>[^;]*)?;{5}(?<db_user_id>\w+)?;(?<user_application>[^;]+)?;(?<db_schema>\w+)?;" 
| rex field=user_activity "(?<user_activity_event>.+?)\;"
| fillnull value="null"
| search h_db_name IN("srp1", "brp1") audit_policy_severity="CRITICAL" db_user_id=SYSTEM
| table _time, env, host, h_db_host, h_instance_name, h_db_name, user_computer_ip user_computer_name audit_policy_name audit_policy_severity user_activity_event

Any help will be appreciated.

Labels (2)
Labels
Reply

inventsekar
SplunkTrust
SplunkTrust
‎11-18-2024 04:08 PM

Hi @majilan1 
1) may i know if you understood the searchtime vs indextime

2) Indextime  - while indexing the data itself you can "catch" the required fields (this is called as index time) .

3) searchtime - if you didnt configure "indextime", then sometimes the fields may not be indexed(not catch'ed / caught when data onboarding). then we need to write the rex to catch the fields at search time. this is acceptable, but it if we use tooo many rex, splunk will struggle. 
4) searchtime is always preferred over indextime - (this is a debatable topic), but as far as i remember, the splunk docs suggest us to use the search time instead of indextime. 

5) situation like yours... complex list of field extractions... can be prepared and planned thru indextime. so splunk will not ask you its own limitations 😉

 

thanks and best regards.

(PS - my karma stats - given 2000 and received 500. thanks for reading )

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-18-2024 02:48 PM

You could try using split to break up the field

| eval fields=split(_raw, ";")
| eval h_db_host=mvindex(fields,1)
etc.
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-18-2024 02:47 PM

As @sainag_splunk says, use of unlimited wildcards (+, *) are usually the cause.  For others to help, you will need to post sample data that trigger these errors.  Usually the remedy is to analyze your data boundaries and find more restrictive regex. 

Reply

sainag_splunk
Splunk Employee
Splunk Employee
‎11-18-2024 01:30 PM

@majilan1 the rex timeout typically  happens with complex events/data, or lot of wild cards in your regex. Refer: https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Limitsconf#.5Brex.5D

Try using that with  max_match option.

| rex max_match=0






If this Helps, Please Upvote

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...