Warning message tracked down to Microsoft Cloud Se...

scannon4 · ‎08-08-2017

We are seeing the following warning message over and over:

IndexOutOfBounds invalid The FORMAT capturing group id: id=3, transform_name='error_info'

The only app that I could find that has this transform name is the Microsoft Cloud Services app. The default folder transforms.conf ha this section:

[o365_invalid_account]
REGEX = Request\s+for\s+account=\"(.)\"\s+failed:\s+[.]\s+(?:POST|GET)\s+request\s+to\s+(.*)\s+(?:fail|failed|exception)
FORMAT = account_name::$1 url::$2 error_info::$3 account_status::"invalid"

I have no idea why this warning message pops up but it appears 4-5 times every second. We are running Splunk Enterprise 6.6.2. Thanks for any assistance.

mbenwell · ‎08-14-2017

The regex doesn't have 3 capture groups, hence the index out of bounds... 3 doesn't exist. The use of ?: says this is a non-capturing group.

For now to make the errors stop I would create a new transforms.conf in Splunk_TA_microsoft-cloudservices/local and modify the FORMAT parameter so it doesn't reference the non-existant capture group. The below should do the trick:

[o365_invalid_account]
FORMAT = account_name::$1 url::$2 account_status::"invalid"

scannon4 · ‎08-15-2017

Thanks I will give this and shot and mark this as answered if it worked.

Warning message tracked down to Microsoft Cloud Services app

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life