Splunk Search

Rex has exceeded configured match_limit

New Member

I'm trying to extract 1 fields from a log line. Just trying to extract the email.

I cant extract a single field  and i get an error saying my rex has exceeded configured match_limit, consider raising the value in limits.conf.

Any suggestion of where I am doing wrong? Is that possible is my rex(as below) not right? Used the splunk cloud field extractor


Error in 'rex' command: regex="(?ms)^\d+\-\d+\-\d+\w+\d+:\d+:\d+\.\d+\+\d+:\d+\s+\d+\.\d+\.\d+\.\d+\s+\w+\-\w+\s+\d+\s+\-\s+\[\w+\s+\w+="\d+"\]\s+\w+\s+\w+\s+\w+\s+\w+:\s+<\d+>\d+\s+\d+\-\d+\-\d+\w+\d+:\d+:\d+\.\d+\-\d+:\d+\s+\w+\-\w+\-\w+\s+\-\s+\-\s+\w+>@<\s+\{\s+"\w+":\s+"\d+\.\d+",\s+"\w+":\s+"\w+",\s+"\w+":\s+"\d+\-\d+\-\d+\w+\d+:\d+:\d+\.\d+\w+",\s+"\w+":\s+"\w+\d+\w+\d+\w+\d+\w+/\d+\w+\d+\w+\d+\w+\d+\w+/\d+\w+\d+\w+=",\s+"\w+":\s+\{\s+"\w+":\s+"\w+\d+\w+\-\w+",\s+"\w+":\s+"\d+\.\d+\.\d+\.\d+",\s+"\w+":\s+"(?P<sss>[^"]+)" has exceeded configured match_limit, consider raising the value in limits.conf


Sample logs

2018-10-14T12:55:30.418+00:00 syslog-ng 176 - [meta sequenceId="100000"] Error processing log message: <14>1 2018-10-21T08:55:30.791523-04:00 CB-ID-SCT - - RemoteLogging>@< { "logVersion": "1.0", "category": "AUDIT", "timeStamp": "2021-09-21T12:53:16.879Z", "id": "vy1m6dhu0xlrRdo0se5IJmWQnR8mPb+QpeFcILHySTU=", "context": { "tenantId": "ZZNXA0OELD-STA", "originatingAddress": "", "principalId": "tundern@gmail.com", "sessionId": "cd419cd2-fge7f-5671-98c0-87d8b1e035dd", "globalAccessId": "42ga93ea-x5a9-81c8-4a87-b32b9abc3fa2", "applicationType": "SAML", "applicationName": "Cali Baco localSafetys - WC02", "policyName": "Global Policy for STA" }, "details": { "type": "ACCESS_REQUEST", "state": "Accepted", "action": "auth", "credentials": [{ "type": "cut", "state": "Verified" } ] } }

Labels (4)
0 Karma


@orionex Please try using the below regex:

| regex field=_raw "principalId\"\:\s\"(?P<email>.*?)\""

Also, If this reply helps you, an upvote would be appreciated.


0 Karma