Splunk Search

Search receiving error: The XYZ query has exceeded configured match_limit, consider raising the value in limits.conf

nls7010
Path Finder

I looked through some of the answers above, but I'm not certain they fit. My clients search is:

index="websphere"  sourcetype=WebSphere:SystemOutLog "execution took"| where source like "%DMAXP01%"| rex field=_raw "] (?.+) SystemOut     O (?.+) \[(?.+)\] \[(?.+)\] \[(?.*)\] (?.+) - USER = \((?.+)\) SPID = \((?.+)\) app \((?.+)\) object \((?.+)\) : (?.+)  \(execution took (?.+) milliseconds"| search queryString !="" | fillnull value=NULL| table ThreadId,CID_Num,host,JVMName,maxSpid,maxUser,appName,maxObject,ResponseTime_ms,queryString,_time

And he gets the error:
Getting "The XYZ query has exceeded configured match_limit, consider raising the value in limits.conf.

I note that he has the .+ entry in his search that matches one of the answers, but I'm not certain what to tell him about what to do with this search.

Should I up the limits for him or will that just make it worse?

Is there a better search?

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@nls7010,

If you want to change limits please refer to doc of limits.conf here.

[rex]
match_limit = <integer>
* Limits the amount of resources that are spent by PCRE
  when running patterns that will not match.
* Use this to set an upper bound on how many times PCRE calls an internal
  function, match(). If set too low, PCRE might fail to correctly match
  a pattern.
* Default: 100000

depth_limit = <integer>
* Limits the amount of resources that are spent by PCRE
  when running patterns that will not match.
* Use this to limit the depth of nested backtracking in an internal PCRE
  function, match(). If set too low, PCRE might fail to correctly match
  a pattern.
* Default: 1000

But, I think default limit in limits.conf is quite enough if you increase it will reduce the search performance and Splunk's performance will also be impacted. Try improving your regex. https://regex101.com/ site will tell you to match this regex requires for the given string to be matched.
You can give me sample events and logic you want to implement with regex, then I can also help you write that regex in better way.

Hope this helps!!!

0 Karma

martynoconnor
Communicator

It's a bunch of very lazy regex. Before making any changes to limits.conf I'd tell them to tidy up their search.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...