I looked through some of the answers above, but I'm not certain they fit. My clients search is:
index="websphere" sourcetype=WebSphere:SystemOutLog "execution took"| where source like "%DMAXP01%"| rex field=_raw "] (?.+) SystemOut O (?.+) \[(?.+)\] \[(?.+)\] \[(?.*)\] (?.+) - USER = \((?.+)\) SPID = \((?.+)\) app \((?.+)\) object \((?.+)\) : (?.+) \(execution took (?.+) milliseconds"| search queryString !="" | fillnull value=NULL| table ThreadId,CID_Num,host,JVMName,maxSpid,maxUser,appName,maxObject,ResponseTime_ms,queryString,_time
And he gets the error:
Getting "The XYZ query has exceeded configured match_limit, consider raising the value in limits.conf.
I note that he has the .+ entry in his search that matches one of the answers, but I'm not certain what to tell him about what to do with this search.
Should I up the limits for him or will that just make it worse?
Is there a better search?
@nls7010,
If you want to change limits please refer to doc of limits.conf here.
[rex]
match_limit = <integer>
* Limits the amount of resources that are spent by PCRE
when running patterns that will not match.
* Use this to set an upper bound on how many times PCRE calls an internal
function, match(). If set too low, PCRE might fail to correctly match
a pattern.
* Default: 100000
depth_limit = <integer>
* Limits the amount of resources that are spent by PCRE
when running patterns that will not match.
* Use this to limit the depth of nested backtracking in an internal PCRE
function, match(). If set too low, PCRE might fail to correctly match
a pattern.
* Default: 1000
But, I think default limit in limits.conf is quite enough if you increase it will reduce the search performance and Splunk's performance will also be impacted. Try improving your regex. https://regex101.com/ site will tell you to match this regex requires for the given string to be matched.
You can give me sample events and logic you want to implement with regex, then I can also help you write that regex in better way.
Hope this helps!!!
It's a bunch of very lazy regex. Before making any changes to limits.conf I'd tell them to tidy up their search.