IBM Support

QRadar: Notification "The matcher for the following Regex has been disabled due to excessive backtracking"



In the QRadar® console, the user receives a notification stating: "The matcher for the following Regex has been disabled due to excessive backtracking," including a short string of regex characters.
For example:
The matcher for the following Regex has been disabled due to excessive backtracking: 'Domain=(.*?)\\t'


A property provided by a Log Source Extension (LSX) enabled on the QRadar environment has taken too long to parse and has been disabled to preserve performance on the system.
This typically occurs when a property provided by an LSX repeatedly takes more than 2000ms to parse. After 5 occurrences of this, the property is permanently disabled until the user takes action.

Resolving The Problem

If the notification has been received, the property will remain disabled until one of the following actions has been performed to re-enable it. If the property is not optimized, the system may encounter the same issue and disable the LSX again.
  1. The pattern is optimized and the changes saved, which re-loads the LSX and thus re-enables the property.
  2. The Log Source is disabled, then re-enabled, which also re-loads the LSX. This can be performed by un-checking and checking the "Enabled" button beside the log source in the Log Source Management App.
    image 8623
  3. Services are restarted. For how to restart services, click the following link: QRadar: Hostcontext service and the impact of a service restart
For more information about Log Source Extensions themselves, refer to: Log source extensions

Document Location


[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"TS004530742","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
04 March 2021