Solved: Re: Search generates this error - Regex: regular e...

jwhughes58 · ‎10-03-2024

This is the search with some anonymization.

index=index_1 sourcetype=sourcetype_1 field_1 IN ( 
    [ search index=index_2 field_2 IN ( 
        [ search index=index_2 field_2=abcdefg
        | fields field_3
        | mvcombine field_3 delim=" " 
        | nomv field_3 
        | dedup field_3 
        | sort field_3 
        | return $field_3]) 
    | fields field_3 
    | sort field_3 
    | mvcombine field_3 delim=" " 
    | nomv field_3])

The deepest subsearch returns a list of managers that report to a director, 10 names. The subsearch returns a list of users who report to those managers, 1137 names. If I run the search like this, I get output.

index=index_1 sourcetype=sourcetype_1 field_1 IN (1137 entries)

I can't find a reason that the first search returns this, 'Regex: regular expression is too large', since there is no command that uses regex. I can run each subsearch without any issues. I can't find anything in the _internal index. Any thoughts on why this is happening or a better search?

TIA,

Joe

jwhughes58 · ‎10-03-2024

The solution was filtering what was returned. The search went from 1139 users reporting up to 233. The 233 didn't error.

View solution in original post

jwhughes58 · ‎10-03-2024

The solution was filtering what was returned. The search went from 1139 users reporting up to 233. The 233 didn't error.

sainag_splunk · ‎10-03-2024

Hello! There could be a regex defined on that sourcetype. Please run a btool on the backend for that sourcetype and figure out if you find any spaces or typos in that regex, then try to remove them.

/opt/splunk/bin/splunk btool validate-regex --debug

I would check out the search.log instead on whats happening there.

Hope this helps.

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 

sainag_splunk · ‎10-03-2024

First Lets find the transforms.conf by running the below btool.

opt/splunk/bin/splunk btool transforms list --debug | grep sourcetype_1

Then you can try something like this on your transforms.conf from the above the app?

splunk@idx1:/opt/splunk/bin$ /opt/splunk/bin/splunk btool validate-regex /opt/splunk/etc/apps/learned/local/transforms.conf --debug
			Bad regex value: '-zA-Z0-9_\.]+)=\"?([a-zA-Z0-9_\.:-]+)', of param: transforms.conf / [metrics_field_extraction] / REGEX; why: unmatched closing parenthesis

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 

jwhughes58 · ‎10-03-2024

Thanks for the assistance @sainag_splunk . I didn't know about some of the btool options. I normally do

btool --debug [inputs|props|transforms] list <stanza>

jwhughes58 · ‎10-03-2024

@sainag_splunkI didn't get any results back from the searches. This isn't surprising since the information is a csv file ingested by Splunk for reference. We don't do any modifications of the data.

jwhughes58 · ‎10-03-2024

@sainag_splunkThe command doesn't return anything. Is there supposed to be an index or sourcetype in the command?

Search generates this error - Regex: regular expression is too large

regex

subsearch

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!

Are you a member of the Splunk Community?