Splunk Search
Highlighted

Search receiving error: The XYZ query has exceeded configured match_limit, consider raising the value in limits.conf

Path Finder

I looked through some of the answers above, but I'm not certain they fit. My clients search is:

index="websphere"  sourcetype=WebSphere:SystemOutLog "execution took"| where source like "%DMAXP01%"| rex field=_raw "] (?.+) SystemOut     O (?.+) \[(?.+)\] \[(?.+)\] \[(?.*)\] (?.+) - USER = \((?.+)\) SPID = \((?.+)\) app \((?.+)\) object \((?.+)\) : (?.+)  \(execution took (?.+) milliseconds"| search queryString !="" | fillnull value=NULL| table ThreadId,CID_Num,host,JVMName,maxSpid,maxUser,appName,maxObject,ResponseTime_ms,queryString,_time

And he gets the error:
Getting "The XYZ query has exceeded configured match_limit, consider raising the value in limits.conf.

I note that he has the .+ entry in his search that matches one of the answers, but I'm not certain what to tell him about what to do with this search.

Should I up the limits for him or will that just make it worse?

Is there a better search?

0 Karma
Highlighted

Re: Search receiving error: The XYZ query has exceeded configured match_limit, consider raising the value in limits.conf

Communicator

It's a bunch of very lazy regex. Before making any changes to limits.conf I'd tell them to tidy up their search.

0 Karma
Highlighted

Re: Search receiving error: The XYZ query has exceeded configured match_limit, consider raising the value in limits.conf

Motivator

@nls7010,

If you want to change limits please refer to doc of limits.conf here.

[rex]
match_limit = <integer>
* Limits the amount of resources that are spent by PCRE
  when running patterns that will not match.
* Use this to set an upper bound on how many times PCRE calls an internal
  function, match(). If set too low, PCRE might fail to correctly match
  a pattern.
* Default: 100000

depth_limit = <integer>
* Limits the amount of resources that are spent by PCRE
  when running patterns that will not match.
* Use this to limit the depth of nested backtracking in an internal PCRE
  function, match(). If set too low, PCRE might fail to correctly match
  a pattern.
* Default: 1000

But, I think default limit in limits.conf is quite enough if you increase it will reduce the search performance and Splunk's performance will also be impacted. Try improving your regex. https://regex101.com/ site will tell you to match this regex requires for the given string to be matched.
You can give me sample events and logic you want to implement with regex, then I can also help you write that regex in better way.

Hope this helps!!!

0 Karma