Hi Splunkers,
I'm running Splunk 7.0.1 and having some problems to parse variables using regex in a search.
This is my data, in one line only:
1. Aug 30 19:40:41 10.181.132.181 1 2019-08-30T19:40:30.729124-04:00 bones NETWORK_STATE FACILITIES LINKS - - - "All Power 1":1,"All Power 2":0,"Five Stars 1":1,"Five Stars 2":1,"Five Stars 3":1,"Five Stars 4":1,"Five Stars 5":1,"Five Stars 6":1,"Five Stars 7":1,"Five Stars Power":0,"Telefive Shark 1":1,"Telefive Shark 2":1,"Infinity 1":1,"Infinity 2":1,"Infinity 3":1,"OutSourcing":1,"Unitel":1,"Longside":1,"Tele Power":1,"Digilast 1":1,"Digilast 2":1
I'm trying to extract some fileds, like:
Option1: FACILITIES
Option2: LINKS
NN1: "All Power 1"
Link_State1: 1
.
.
.
NN21: "Digilast 2"
Link_State21: 1
The regular expresion that I'm trying to use is:
NETWORK_STATE (?\w+) (?\w+) - - -
(?.*):(?.)(?.*):(?.)(?.*):(?.)(?.*):(?Link_State4>.)
(?.*):(?.)(?.*):(?.)(?.*):(?.)(?.*):(?.)
(?.*):(?.)(?.*):(?..)(?.*):(?..)(?.*):(?..)
(?.*):(?..)(?.*):(?..)(?.*):(?..)(?.*):(?..)
(?.*):(?..)(?.*):(?..)(?.*):(?..)(?.*):(?..)
(?.*):(?..)
But I've got the following error:
Error in 'rex' command: regex="NETWORK_STATE (?\w+) (?\w+) - - - (?.*),(?.*):(?.),
(?.*):(?.),(?.*):(?.),(?.*):(?.),(?.*):(?.),(? .*):(?.),(?.*):(?.),(?.*):(?.),(?.*):(?.),(? .*):(?.),(?.*):(?.),(?.*):(?.)" has exceeded configured match_limit,
consider raising the value in limits.conf
Looking for the error, I've learnt that there is better ways to achieve my goal. Please, could yo enlight me?
Regards
Pedro
↧