Warning message tracked down to Microsoft Cloud Se...

scannon4 · ‎08-08-2017

We are seeing the following warning message over and over:

IndexOutOfBounds invalid The FORMAT capturing group id: id=3, transform_name='error_info'

The only app that I could find that has this transform name is the Microsoft Cloud Services app. The default folder transforms.conf ha this section:

[o365_invalid_account]
REGEX = Request\s+for\s+account=\"(.)\"\s+failed:\s+[.]\s+(?:POST|GET)\s+request\s+to\s+(.*)\s+(?:fail|failed|exception)
FORMAT = account_name::$1 url::$2 error_info::$3 account_status::"invalid"

I have no idea why this warning message pops up but it appears 4-5 times every second. We are running Splunk Enterprise 6.6.2. Thanks for any assistance.

mbenwell · ‎08-14-2017

The regex doesn't have 3 capture groups, hence the index out of bounds... 3 doesn't exist. The use of ?: says this is a non-capturing group.

For now to make the errors stop I would create a new transforms.conf in Splunk_TA_microsoft-cloudservices/local and modify the FORMAT parameter so it doesn't reference the non-existant capture group. The below should do the trick:

[o365_invalid_account]
FORMAT = account_name::$1 url::$2 account_status::"invalid"

scannon4 · ‎08-15-2017

Thanks I will give this and shot and mark this as answered if it worked.

Warning message tracked down to Microsoft Cloud Services app

Admin Your Splunk Cloud, Your Way

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

New Customer Testimonials