×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
jhooper33
Explorer
Member since: ‎11-28-2022
‎12-23-2023
Community Statistics
Posts 6
Solutions 0
Karma Given 5
Karma Received 0
Member Since ‎11-28-2022
Activity Feed
View All

Re: Regex: regular expression is too large

by in Splunk Search
‎12-22-2023 05:59 PM
‎12-22-2023 05:59 PM
I appreciate all the help and apologize for my late response. I am still a low man on the totem pole and been trying to research more into this with the recommendations. The file gets automatically updated periodically with all the new intel we ingest, this one specifically regarding malicious URLs. My higher up suggested recently a recommendation from a 13 year old Splunk community post to try and fix this issues. (https://community.splunk.com/t5/Splunk-Search/Lookup-table-Limits/m-p/75336) I am not familiar with this recommendation so need to look into it. If anyone believes this is not a good recommendation from a 13 year old post then please let me know. Thank you very much. ... View more

Re: Regex: regular expression is too large

by in Splunk Search
‎12-11-2023 11:36 PM
‎12-11-2023 11:36 PM
@gcusello  Apologies for the late response, got the ok to send the search today. The url_intel.csv is what has 66,317 lines. I just ran this alert and it didn't give this regex error, so it is intermittent when it will give an error at all. index=pan_logs [ inputlookup url_intel.csv | fields ioc | rename ioc AS dest_url] | search NOT [| inputlookup whitelist.csv | search category=website | fields ignoreitem | rename ignoreitem as query ] | search NOT ("drop" OR "denied" OR "deny" OR "reset" OR "block") | eval Sensor_Name="Customer", Signature="URL Intel Hits", user=if(isnull(user),"-",user), src_ip=if(isnull(src_ip),"-",src_ip),dest_ip=if(isnull(dest_ip),"-",dest_ip), event_criticality="Medium" | rename _raw AS Raw_Event | table _time,event_criticality,Sensor_Name,Signature,user,src_ip,dest_ip,Raw_Event ... View more

Re: Regex: regular expression is too large

by in Splunk Search
‎12-09-2023 09:41 PM
‎12-09-2023 09:41 PM
@PickleRick!!! Thank you for the suggestion. I haven't seen anyone use KVstore for lookup for any of our searches yet so I will definitely look into this. ... View more

Re: Regex: regular expression is too large

by in Splunk Search
‎12-09-2023 09:40 PM
‎12-09-2023 09:40 PM
Hey @gcusello  I will have to verify first if I'm allowed to share the search, may fall under IP. But I am going to look at summary index and I'm also considering rewriting this whole file. ... View more

Re: Regex: regular expression is too large

by in Splunk Search
‎12-08-2023 11:25 PM
‎12-08-2023 11:25 PM
Hi @gcusello, Thank you for the response. I did not create this csv only working with it from past co workers. So I have been spending a bit of time trying to fix this issue. I've tried to find any regex issues with this file but it's a little difficult with how many lines there are. Are you asking if I can share the lookup file? And as far as using a summary index, this is something I haven't tried yet. ... View more

Regex: regular expression is too large

by in Splunk Search
‎12-08-2023 07:55 PM
‎12-08-2023 07:55 PM
Hi Team/Community, I'm having an issue with a lookup file. I have a csv with two columns, 1st is named ioc and second is named note. This csv is an intel file created for searching for any visits to malicious urls for users. The total number of lines for this csv is 66,317. The encoding for this csv is ascii. We keep having an issue with this search where when running it Splunk will give an error message of Regex: regular expression is too large. This error isn't consistent and it this particular alert doesn't  seem to trigger much for many of our customers. We also have a similar separate alerts built for looking for domains and IPs. Those work much better than this url csv. I would like help in seeing with the issue is with the regex being too large. Is the number of lines causing a major issue with this file running properly? Any help would be greatly appreciated as I think this search is not running efficiently. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎12-23-2023 02:46 AM
Karma given to
View All