- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the search with some anonymization.
index=index_1 sourcetype=sourcetype_1 field_1 IN (
[ search index=index_2 field_2 IN (
[ search index=index_2 field_2=abcdefg
| fields field_3
| mvcombine field_3 delim=" "
| nomv field_3
| dedup field_3
| sort field_3
| return $field_3])
| fields field_3
| sort field_3
| mvcombine field_3 delim=" "
| nomv field_3])
The deepest subsearch returns a list of managers that report to a director, 10 names. The subsearch returns a list of users who report to those managers, 1137 names. If I run the search like this, I get output.
index=index_1 sourcetype=sourcetype_1 field_1 IN (1137 entries)
I can't find a reason that the first search returns this, 'Regex: regular expression is too large', since there is no command that uses regex. I can run each subsearch without any issues. I can't find anything in the _internal index. Any thoughts on why this is happening or a better search?
TIA,
Joe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The solution was filtering what was returned. The search went from 1139 users reporting up to 233. The 233 didn't error.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The solution was filtering what was returned. The search went from 1139 users reporting up to 233. The 233 didn't error.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello! There could be a regex defined on that sourcetype. Please run a btool on the backend for that sourcetype and figure out if you find any spaces or typos in that regex, then try to remove them.
/opt/splunk/bin/splunk btool validate-regex --debugI would check out the search.log instead on whats happening there.
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First Lets find the transforms.conf by running the below btool.
opt/splunk/bin/splunk btool transforms list --debug | grep sourcetype_1
Then you can try something like this on your transforms.conf from the above the app?
splunk@idx1:/opt/splunk/bin$ /opt/splunk/bin/splunk btool validate-regex /opt/splunk/etc/apps/learned/local/transforms.conf --debug
Bad regex value: '-zA-Z0-9_\.]+)=\"?([a-zA-Z0-9_\.:-]+)', of param: transforms.conf / [metrics_field_extraction] / REGEX; why: unmatched closing parenthesis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the assistance @sainag_splunk . I didn't know about some of the btool options. I normally do
btool --debug [inputs|props|transforms] list <stanza>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sainag_splunkI didn't get any results back from the searches. This isn't surprising since the information is a csv file ingested by Splunk for reference. We don't do any modifications of the data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sainag_splunkThe command doesn't return anything. Is there supposed to be an index or sourcetype in the command?
