Solved: Search generates this error - Regex: regular expre...

jwhughes58 · ‎10-03-2024

This is the search with some anonymization.

index=index_1 sourcetype=sourcetype_1 field_1 IN ( 
    [ search index=index_2 field_2 IN ( 
        [ search index=index_2 field_2=abcdefg
        | fields field_3
        | mvcombine field_3 delim=" " 
        | nomv field_3 
        | dedup field_3 
        | sort field_3 
        | return $field_3]) 
    | fields field_3 
    | sort field_3 
    | mvcombine field_3 delim=" " 
    | nomv field_3])

The deepest subsearch returns a list of managers that report to a director, 10 names. The subsearch returns a list of users who report to those managers, 1137 names. If I run the search like this, I get output.

index=index_1 sourcetype=sourcetype_1 field_1 IN (1137 entries)

I can't find a reason that the first search returns this, 'Regex: regular expression is too large', since there is no command that uses regex. I can run each subsearch without any issues. I can't find anything in the _internal index. Any thoughts on why this is happening or a better search?

TIA,

Joe

jwhughes58 · ‎10-03-2024

The solution was filtering what was returned. The search went from 1139 users reporting up to 233. The 233 didn't error.

View solution in original post

jwhughes58 · ‎10-03-2024

The solution was filtering what was returned. The search went from 1139 users reporting up to 233. The 233 didn't error.

sainag_splunk · ‎10-03-2024

Hello! There could be a regex defined on that sourcetype. Please run a btool on the backend for that sourcetype and figure out if you find any spaces or typos in that regex, then try to remove them.

/opt/splunk/bin/splunk btool validate-regex --debug

I would check out the search.log instead on whats happening there.

Hope this helps.

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 

sainag_splunk · ‎10-03-2024

First Lets find the transforms.conf by running the below btool.

opt/splunk/bin/splunk btool transforms list --debug | grep sourcetype_1

Then you can try something like this on your transforms.conf from the above the app?

splunk@idx1:/opt/splunk/bin$ /opt/splunk/bin/splunk btool validate-regex /opt/splunk/etc/apps/learned/local/transforms.conf --debug
			Bad regex value: '-zA-Z0-9_\.]+)=\"?([a-zA-Z0-9_\.:-]+)', of param: transforms.conf / [metrics_field_extraction] / REGEX; why: unmatched closing parenthesis

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 

jwhughes58 · ‎10-03-2024

Thanks for the assistance @sainag_splunk . I didn't know about some of the btool options. I normally do

btool --debug [inputs|props|transforms] list <stanza>

jwhughes58 · ‎10-03-2024

@sainag_splunkI didn't get any results back from the searches. This isn't surprising since the information is a csv file ingested by Splunk for reference. We don't do any modifications of the data.

jwhughes58 · ‎10-03-2024

@sainag_splunkThe command doesn't return anything. Is there supposed to be an index or sourcetype in the command?

Search generates this error - Regex: regular expression is too large

regex

subsearch

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?