Troubleshooting
Problem
In the QRadar® console, the user receives a notification stating: "The matcher for the following Regex has been disabled due to excessive backtracking," including a short string of regex characters.
For example:
The matcher for the following Regex has been disabled due to excessive backtracking: 'Domain=(.*?)\\t'
Cause
A property provided by a Log Source Extension (LSX) enabled on the QRadar environment has taken too long to parse and has been disabled to preserve performance on the system.
This typically occurs when a property provided by an LSX repeatedly takes more than 2000ms to parse. After 5 occurrences of this, the property is permanently disabled until the user takes action.
Resolving The Problem
If the notification has been received, the property will remain disabled until one of the following actions has been performed to re-enable it. If the property is not optimized, the system may encounter the same issue and disable the LSX again.
- The pattern is optimized and the changes saved, which re-loads the LSX and thus re-enables the property.
- The Log Source is disabled, then re-enabled, which also re-loads the LSX. This can be performed by un-checking and checking the "Enabled" button beside the log source in the Log Source Management App.
- Services are restarted. For how to restart services, click the following link: QRadar: Hostcontext service and the impact of a service restart
For more information about Log Source Extensions themselves, refer to: Log source extensions
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"TS004530742","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
04 March 2021
UID
ibm16415619