Solved: 'Encountered the following error while trying to u...

wrangler2x · ‎08-16-2017

I've got this simple transform for dropping unwanted logs which works fine. I went to add something to it and got this Encountered the following error while trying to update: Invalid FORMAT: nullQueue error when I tried to save it. Then I Canceled, and re-clicked on the transform (in Settings>>Fields>>Field transformations) and tried a Save without changing anything and got the same error. Why is that?

[paloaltoNoiseDrop]
REGEX = syslog-conn-status,.*(established|broken)
DEST_KEY = queue
FORMAT = nullQueue

sbbadri · ‎08-16-2017

You can implement above use case only through backend i.e., edit transforms.conf by login to the server. In GUI format is only defined like fieldname::$1 or $1.Otherwise you can try like below,

[setnull]
FORMAT = setnull::nullQueue
REGEX = syslog
disabled = 1

View solution in original post

sbbadri · ‎08-16-2017

You can implement above use case only through backend i.e., edit transforms.conf by login to the server. In GUI format is only defined like fieldname::$1 or $1.Otherwise you can try like below,

[setnull]
FORMAT = setnull::nullQueue
REGEX = syslog
disabled = 1

'Encountered the following error while trying to update: Invalid FORMAT: nullQueue' error editing a transform via Splunk Web

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor