Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search receiving error: The XYZ query has exceeded configured match_limit, consider raising the value in limits.conf

nls7010
Path Finder
‎06-07-2019 05:52 AM

I looked through some of the answers above, but I'm not certain they fit. My clients search is:

index="websphere"  sourcetype=WebSphere:SystemOutLog "execution took"| where source like "%DMAXP01%"| rex field=_raw "] (?.+) SystemOut     O (?.+) \[(?.+)\] \[(?.+)\] \[(?.*)\] (?.+) - USER = \((?.+)\) SPID = \((?.+)\) app \((?.+)\) object \((?.+)\) : (?.+)  \(execution took (?.+) milliseconds"| search queryString !="" | fillnull value=NULL| table ThreadId,CID_Num,host,JVMName,maxSpid,maxUser,appName,maxObject,ResponseTime_ms,queryString,_time

And he gets the error:
Getting "The XYZ query has exceeded configured match_limit, consider raising the value in limits.conf.

I note that he has the .+ entry in his search that matches one of the answers, but I'm not certain what to tell him about what to do with this search.

Should I up the limits for him or will that just make it worse?

Is there a better search?

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-08-2019 10:14 PM

@nls7010,

If you want to change limits please refer to doc of limits.conf here.

[rex]
match_limit = <integer>
* Limits the amount of resources that are spent by PCRE
  when running patterns that will not match.
* Use this to set an upper bound on how many times PCRE calls an internal
  function, match(). If set too low, PCRE might fail to correctly match
  a pattern.
* Default: 100000

depth_limit = <integer>
* Limits the amount of resources that are spent by PCRE
  when running patterns that will not match.
* Use this to limit the depth of nested backtracking in an internal PCRE
  function, match(). If set too low, PCRE might fail to correctly match
  a pattern.
* Default: 1000

But, I think default limit in limits.conf is quite enough if you increase it will reduce the search performance and Splunk's performance will also be impacted. Try improving your regex. https://regex101.com/ site will tell you to match this regex requires for the given string to be matched.
You can give me sample events and logic you want to implement with regex, then I can also help you write that regex in better way.

Hope this helps!!!

0 Karma
Reply

martynoconnor
Communicator
‎06-08-2019 02:52 PM

It's a bunch of very lazy regex. Before making any changes to limits.conf I'd tell them to tidy up their search.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...