Streamed search execute failed because: Error in '...

dpatiladobe · ‎05-28-2020

Trying to extract the actual query
sourcetype=extendedevent EventClass=QUERY_END | rex "TextData=(?P.*);NTCanonicalUserName" | rex field=Query "FROM [(?\w+\W?\w+)]" | bin _time span=1d | eval mytime=strftime(_time,"%m/%d/%Y") |eval DatabaseName = DatabaseName+":"+CubeName | stats dc(NTUserName) by mytime , DatabaseName

The data is look like below

[2020-05-28 16:01:47.868 +00:00] CurrentTime=5/28/2020 4:01:47 PM +00:00;StartTime=5/28/2020 4:01:47 PM +00:00;EndTime=5/28/2020 4:01:47 PM +00:00;EventClass=QUERY_END;EventSubclass=1;Severity=0;Success=1;Error=0;ConnectionID=2804894;ClientProcessID=4364;SPID=12255472;ErrorType=0;Duration=78;CPUTime=78;IntegerData=5;TextData=select [LAST_SCHEMA_UPDATE],[LAST_DATA_UPDATE] from $system.mdschema_cubes where ([CATALOG_NAME]=@p1);NTCanonicalUserName=xxxx\xxx;SessionID=F1E0DF9C-E2B2-48BD-BFF4-FB57D3868BC6;NTUserName=xxxxx;NTDomainName=xxxxx;DatabaseName=xxxxx;ApplicationName=xxxxx05/28/2020 00:31:26;ServerName=xxxxx;RequestID=c65c0c7e-97d8-4259-a0aa-eab745e72b44;RequestID=xxxxx-a430-418f-898a-37282d0ee2df[0];RequestID=xxxxx-d7ed-4401-9856-c974c21017c2[24];```

I did search on https://regex101.com/r/ObGKC9/3. and it is showing 917 steps. Need help to make it less.

to4kawa · ‎05-30-2020

rex "TextData=(?P<Query>[^;]+);"

this regex is 32 steps.

dpatiladobe · ‎06-03-2020

Thank You It works as expected

Streamed search execute failed because: Error in 'rex' command: regex="TextData=(?P.*);NTCanonicalUserName" has exceeded configured match_limit, consider raising the value in limits.conf.

eval

field extraction

regex

rex

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!