All Apps and Add-ons

Warning message tracked down to Microsoft Cloud Services app

scannon4
Communicator

We are seeing the following warning message over and over:

IndexOutOfBounds invalid The FORMAT capturing group id: id=3, transform_name='error_info'

The only app that I could find that has this transform name is the Microsoft Cloud Services app. The default folder transforms.conf ha this section:

[o365_invalid_account]
REGEX = Request\s+for\s+account=\"(.)\"\s+failed:\s+[.]\s+(?:POST|GET)\s+request\s+to\s+(.*)\s+(?:fail|failed|exception)
FORMAT = account_name::$1 url::$2 error_info::$3 account_status::"invalid"

I have no idea why this warning message pops up but it appears 4-5 times every second. We are running Splunk Enterprise 6.6.2. Thanks for any assistance.

mbenwell
Communicator

The regex doesn't have 3 capture groups, hence the index out of bounds... 3 doesn't exist. The use of ?: says this is a non-capturing group.

For now to make the errors stop I would create a new transforms.conf in Splunk_TA_microsoft-cloudservices/local and modify the FORMAT parameter so it doesn't reference the non-existant capture group. The below should do the trick:

[o365_invalid_account]
FORMAT = account_name::$1 url::$2 account_status::"invalid"

scannon4
Communicator

Thanks I will give this and shot and mark this as answered if it worked.

0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...