Splunk ITSI is not able create the service now tickets whenever we have seen longer comments in the work notes section .  We haven't made any changes recently but the below error is popping up .Any clue why is this happening ? Seeing this Streamed search execute failed because: Error in 'rex' command: regex="(?s).*dv_comments="(?<comments>.*)$" has exceeded configured match_limit, consider raising the value in limits.conf. Here's the regex expression : rex field=_raw "(?s).*dv_comments=\"(?<comments>.*)$" rex field=comments "(?s)(?<comment_time>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\s-\s(?<comment_user>.*?)\s\(Additional comments\)\n\sResolution notes\s=\s(?<resolution_notes>.*?)(?=\d{4}-\d{2}-\d{2}|\n\"|$).*" what is the default value to set in limits.conf? what happens if we set it to default values in itsi event correlation  and alternative suggestions ? ... View more

Hello Splunk Community, I’m reaching out for guidance on handling Knowledge Objects (KOs) that reside in the default directory of their respective apps and cannot be deleted from the Splunk UI. We observed that: • Some KOs throw the message: “This saved search failed to handle removal request” which, as documented, is likely because the KO is defined in both the local and default directories. I have a couple of questions: 1. Can default directory KOs be deleted manually via the filesystem or another method, if not possible through the UI? 2. Is there a safe alternative such as disabling them if deletion is not possible? 3. From a list of KOs I have, how can I programmatically identify which ones reside in the default directory? Also, is there a recommended way to handle overlapping configurations between default and local directories, especially when clean-up or access revocation is needed? Any best practices, scripts, or documentation references would be greatly appreciated! ... View more