We use inputlookup to run large numbers (thousands) of indicators against network traffic in our org. This has worked well for some time.
[|inputlookup indicators.csv | fields foo| rename foo as search|format maxresults=10000] index=bar
Recently, on another instance of Splunk I've started getting this error:
> Regex: regular expression is too large
To get the search to complete, I either have to remove the maxresults variable (which 'dumbs' the amount of indicators used in the search to the first 100) or change maxresults to 1000 - any larger number fails.
Did something change with the way Splunk processes these types of searches?
↧