Splunk Search

Search generates this error - Regex: regular expression is too large

jwhughes58
Contributor

This is the search with some anonymization.

 

index=index_1 sourcetype=sourcetype_1 field_1 IN ( 
    [ search index=index_2 field_2 IN ( 
        [ search index=index_2 field_2=abcdefg
        | fields field_3
        | mvcombine field_3 delim=" " 
        | nomv field_3 
        | dedup field_3 
        | sort field_3 
        | return $field_3]) 
    | fields field_3 
    | sort field_3 
    | mvcombine field_3 delim=" " 
    | nomv field_3])

 

The deepest subsearch returns a list of managers that report to a director, 10 names.  The subsearch returns a list of users who report to those managers, 1137 names.  If I run the search like this, I get output.

 

index=index_1 sourcetype=sourcetype_1 field_1 IN (1137 entries)

 

I can't find a reason that the first search returns this,  'Regex: regular expression is too large', since there is no command that uses regex.  I can run each subsearch without any issues.  I can't find anything in the _internal index.  Any thoughts on why this is happening or a better search?

TIA,

Joe

 

Labels (3)
0 Karma
1 Solution

jwhughes58
Contributor

The solution was  filtering what was returned.  The search went from 1139 users reporting up to 233.  The 233 didn't error.

View solution in original post

0 Karma

jwhughes58
Contributor

The solution was  filtering what was returned.  The search went from 1139 users reporting up to 233.  The 233 didn't error.

0 Karma

sainag_splunk
Splunk Employee
Splunk Employee

Hello! There could be a regex defined on that sourcetype. Please run a btool on the backend for that sourcetype and figure out if you find any spaces or typos in that regex, then try to remove them.

/opt/splunk/bin/splunk btool validate-regex --debug



I would check out the search.log instead on whats happening there.


Hope this helps.

sainag_splunk
Splunk Employee
Splunk Employee

First Lets find the transforms.conf by running the below btool.

opt/splunk/bin/splunk btool transforms list --debug | grep sourcetype_1



Then you can try something like this on your transforms.conf from the above the app?

splunk@idx1:/opt/splunk/bin$ /opt/splunk/bin/splunk btool validate-regex /opt/splunk/etc/apps/learned/local/transforms.conf --debug
			Bad regex value: '-zA-Z0-9_\.]+)=\"?([a-zA-Z0-9_\.:-]+)', of param: transforms.conf / [metrics_field_extraction] / REGEX; why: unmatched closing parenthesis

 

 

 

0 Karma

jwhughes58
Contributor

Thanks for the assistance @sainag_splunk .  I didn't know about some of the btool options.  I normally do

btool --debug [inputs|props|transforms] list <stanza>

0 Karma

jwhughes58
Contributor

@sainag_splunkI didn't get any results back from the searches.  This isn't surprising since the information is a csv file ingested by Splunk for reference.  We don't do any modifications of the data.

0 Karma

jwhughes58
Contributor

@sainag_splunkThe command doesn't return anything.  Is there supposed to be an index or sourcetype in the command?

0 Karma
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...