https://community.splunk.com/t5/Splunk-Search/Could-not-use-strptime-to-parse-timestamp/m-p/41426#M9603 <P>I didnt see that option...good to know.</P> Wed, 02 May 2012 13:00:36 GMT sdaniels 2012-05-02T13:00:36Z https://community.splunk.com/t5/Splunk-Search/Could-not-use-strptime-to-parse-timestamp/m-p/41424#M9601 <P>Hi all,</P> <P>I'm adding detail files from FreeRadius, which looks like following:</P> <P>Wed May 2 10:28:04 2012<BR /> NAS-IP-Address = 192.168.193.67<BR /> User-Name = "a12345677"<BR /> NAS-Port = 0<BR /> NAS-Port-Type = Wireless-802.11<BR /> [snipped]</P> <P>I specified following in props.conf:</P> <P>TIME_FORMAT=%a %b %d %H:%M:%S %Y<BR /> TIME_PREFIX=^</P> <P>The Data Preview panel complains about "Could not parse strptime to parse timestamp", although it is still okay to identify individual records. I wonder if I make any mistake in the format string . Would anyone please help?</P> <P>Thanks a lot.</P> Mon, 28 Sep 2020 11:45:54 GMT https://community.splunk.com/t5/Splunk-Search/Could-not-use-strptime-to-parse-timestamp/m-p/41424#M9601 stwong 2020-09-28T11:45:54Z https://community.splunk.com/t5/Splunk-Search/Could-not-use-strptime-to-parse-timestamp/m-p/41425#M9602 <P>You should change the <STRONG><CODE>%d</CODE></STRONG> (01-31) for a <STRONG><CODE>%e</CODE></STRONG> (1-31) in TIME_FORMAT.</P> <HR /> <P>UPDATE:<BR /> What are the values for <CODE>timestartpos</CODE> and <CODE>timeendpos</CODE>? Do they correspond to where your timestamp begins and ends? Those fields are automatically extracted, but to see them you may have to click the "View all XX fields" in the field picker on the left. </P> <P>Perhaps you need to remove/change the <CODE>TIME_PREFIX</CODE> and specify a <CODE>MAX_TIMESTAMP_LOOKAHEAD</CODE>. </P> <P>Please post a complete event, and what time splunk interprets, and the <CODE>timestartpos</CODE> and <CODE>timeendpos</CODE>.</P> <P>Hope this helps,</P> <P>Kristian</P> Wed, 02 May 2012 12:56:33 GMT https://community.splunk.com/t5/Splunk-Search/Could-not-use-strptime-to-parse-timestamp/m-p/41425#M9602 kristian_kolb 2012-05-02T12:56:33Z https://community.splunk.com/t5/Splunk-Search/Could-not-use-strptime-to-parse-timestamp/m-p/41426#M9603 <P>I didnt see that option...good to know.</P> Wed, 02 May 2012 13:00:36 GMT https://community.splunk.com/t5/Splunk-Search/Could-not-use-strptime-to-parse-timestamp/m-p/41426#M9603 sdaniels 2012-05-02T13:00:36Z https://community.splunk.com/t5/Splunk-Search/Could-not-use-strptime-to-parse-timestamp/m-p/41427#M9604 <P>Same result after changing %d to %e.<BR /> Anyway, thanks for your help.</P> <P>/ST</P> Thu, 03 May 2012 05:52:41 GMT https://community.splunk.com/t5/Splunk-Search/Could-not-use-strptime-to-parse-timestamp/m-p/41427#M9604 stwong 2012-05-03T05:52:41Z https://community.splunk.com/t5/Splunk-Search/Could-not-use-strptime-to-parse-timestamp/m-p/41428#M9605 <P>see update above. /k</P> Thu, 03 May 2012 07:48:59 GMT https://community.splunk.com/t5/Splunk-Search/Could-not-use-strptime-to-parse-timestamp/m-p/41428#M9605 kristian_kolb 2012-05-03T07:48:59Z https://community.splunk.com/t5/Splunk-Search/Could-not-use-strptime-to-parse-timestamp/m-p/41429#M9606 <P>Is there any news on this topic?<BR /> I have the same problem...</P> Mon, 06 Mar 2017 16:31:08 GMT https://community.splunk.com/t5/Splunk-Search/Could-not-use-strptime-to-parse-timestamp/m-p/41429#M9606 goelli 2017-03-06T16:31:08Z https://community.splunk.com/t5/Splunk-Search/Could-not-use-strptime-to-parse-timestamp/m-p/41430#M9607 <P>I left this question unchecked for long tims, as the time can be parsed correctly...</P> Fri, 10 Mar 2017 06:14:36 GMT https://community.splunk.com/t5/Splunk-Search/Could-not-use-strptime-to-parse-timestamp/m-p/41430#M9607 stwong 2017-03-10T06:14:36Z