Try this regex to see if it helps:
| rex field=<your_field_here> max_match=0 "onePartKey=true[\S\s]+?product.aws.(?<status>success|success.notfound)\,"
This regex should be roughly 3x more efficient (440 steps down to 168 steps), and also uses many less literals (making it more flexible, as to not accidentally miss anything)
[\S\s]? should almost always be used in place of [\S\s] unless you're confident about how they differ. Without the question mark quantifier, the expression is incredibly greedy, and will continue to match everything until it can't possibly match anymore. This often leads unintentionally missing regex matches, and inefficiency on the back end .
To illustrate this concept, let's say we want to match all the "MATCH" words in this string:
______MATCH______MATCH______MATCH______
Using [\S\s]*(?<greedy_expression>MATCH) as our expression, we only capture the third "MATCH". This is because the expression is greedy by nature, and wants to capture as much as possible. For that reason, the expression captures everything it can until the very last instance of the word "MATCH".
On the other hand, if we make the expression lazy by adding a question mark after the wildcard -- [\S\s]*?(?<lazy_expression>MATCH)
You'll notice all three "MATCH" words are captured AND it only took about half the steps as the greedy version.
I hope this helps and makes sense! You may still have problems with limits, depending on the actual size of each log, but this should at least make it much less resource intensive on the back end of your search!
... View more