Solved: 'Encountered the following error while trying to u...

wrangler2x · ‎08-16-2017

I've got this simple transform for dropping unwanted logs which works fine. I went to add something to it and got this Encountered the following error while trying to update: Invalid FORMAT: nullQueue error when I tried to save it. Then I Canceled, and re-clicked on the transform (in Settings>>Fields>>Field transformations) and tried a Save without changing anything and got the same error. Why is that?

[paloaltoNoiseDrop]
REGEX = syslog-conn-status,.*(established|broken)
DEST_KEY = queue
FORMAT = nullQueue

sbbadri · ‎08-16-2017

You can implement above use case only through backend i.e., edit transforms.conf by login to the server. In GUI format is only defined like fieldname::$1 or $1.Otherwise you can try like below,

[setnull]
FORMAT = setnull::nullQueue
REGEX = syslog
disabled = 1

View solution in original post

sbbadri · ‎08-16-2017

You can implement above use case only through backend i.e., edit transforms.conf by login to the server. In GUI format is only defined like fieldname::$1 or $1.Otherwise you can try like below,

[setnull]
FORMAT = setnull::nullQueue
REGEX = syslog
disabled = 1

'Encountered the following error while trying to update: Invalid FORMAT: nullQueue' error editing a transform via Splunk Web

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

'Encountered the following error while trying to update: Invalid FORMAT: nullQueue' error editing a transform via Splunk Web

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I