Having problem creating a props configuration
Seeing could not use striptime to parse timestamp.
Below logs comes from Docker
("log":"[20:52:02] [/home/a153509/.local/share/code-server/extensions/ms-toolsai.jupyter-2022.9.1303220346]: Extension is not compatible with Code 1.66.2 . Extension requires: 1.72.0.\n","stream":"stderr","time":"2023-03-06T20:52:02.2194402152"}{"log":"[20:52:02] [ /home/a15 3509/.local/share/code-server/extensions/ms-python.vscode-pylance-2023. 1.10]: Extension is not compatible with Code 1.66.2. Extension req uires: 1.67.0.\n ", "stream":"stderr","time": "2023-03-06T20:52:02.219891147Z")("log": "[20:52:02] [\u003cunknown\u003e][80d9f7e6][ Extension HostConnection] New connection established.\n","stream":"stdout","time":"2023-03-06T20:52:02.604222684Z"){"log":"[20:52:02] [ \u003cunknow n\u003e][80d9f7e6][ExtensionHostConnection] \u003c1453\u003e Launched Extension Host Process. \n","stream":"stdout","time":"2023-03-06T20: 52:02.617643295Z"] ["log": "[IPC Library: Pty Host] INFO Persistent process "1": Replaying 505 chars and 1 size events\n","stream":"stdo ut", "time":"2023-03-06T20 :52:06.9 270320622"} ["log":"[IPC Library: Pty Host] WARN Shell integration cannot be enabled for executable \"/b in/bash and args undefined\n", "stream":"stdout","time": "2023-03-06T20:52:56.754368802Z"}{ log":"[20:57:00] [\u003cunknown\u003e][laf3f4 9a][ExtensionHostConnection] \u003c766\u003e Extension Host Process exited with code: 0 , signal: null.\n","stream"stdout", "time":"2023- 03-06T20:57:00 839578031Z"}"log" [02:12:50] [\u003cunknown\u003e][adf26d01 ][ManagementConnection] The client has disconnected, will wai t for reconnection 3h before disposing...\n","stream":"stdout, "time":"2023-03-07T02:12:50. 7892555182")("log":"[05:12:59] [\u003cunknown \u003e][adf26d01][ManagementConnection] The reconnection grace time of 3h has expired, so the connection will be disposed. \n", "stream ":"s tdout","time":"2023-03-07T05:12:59.567198587Z" log":[13:16:53] [\u003cunknown\u003e][adf26d01][ManagementConnection] Unknown reconnect ion token ( seen before) \n","stream":"stderr","time":"2023-03-07T13:16:53 2951627292")("log":"[13:16:53] [\u003cunknown\u003e ][80d9f7e6] [ExtensionHostConnection] The client has reconnected. \n","stream":"stdout", "time": "2023-03-07T13: 16:53.453120386Z")
Hers is my props.conf
auto learned
SHOULD LINEMERGE=false
LINE BREAKER=([\n\r]+)\s*("log":"{\n
NO BINARY CHECK-true TIME PREFIX="time"
MAX TIMESTAMP LOOKAHEAD=48
TIME FORMAT=%Y-%m-%dT%H:%M:%S.9N%z
TRUNCATE=999999
CHARSET=UTF-8
KV MODE=json
ANNOTATE POINT=false
What do you mean by "could not use"? What exactly is the problem you are having with it? You are aware the function is pronounced "striptime", but is typed "strptime", right? Please show the SPL you tried and the results it gave. Also, your props.conf settings have no effect on the stptime function.
The LINE_BREAKER setting does not match the sample data.
LINE BREAKER = ()\s*("log":
should be enough.
The TIME_FORMAT setting doesn't match the example event. It specifies the time zone offset rather than a time zone abbreviation. Try
TIME FORMAT = %Y-%m-%dT%H:%M:%S.9N%Z
The first timestamp in the example log has a different format.
Hello @richgalloway
I tried that configuration, which you suggested above.
Now I'll try to explain what the problem is..
We are trying to writing the props to onboard the docker logs.
The log like below
("log":"[20:52:02] [/home/a153509/.local/share/code-server/extensions/ms-toolsai.jupyter-2022.9.1303220346]: Extension is not compatible with Code 1.66.2 . Extension requires: 1.72.0.\n","stream":"stderr","time":"2023-03-06T20:52:02.2194402152"}
While applying the props configuration it is showing some warning error like
Could not use strptime to parse timestamp from ""."[20:52:02][/home/a153509/.local/share/code-s".
It looks like Splunk is treating "20:52:02" as a timestamp rather than looking the time field later in the event. This usually means the TIME_PREFIX field is missing or is incorrect. In the OP, the TIME_PREFIX setting was not on a line by itself, which I thought was an error in writing the message. Please verify the setting is correctly placed in props.conf.
Avoid auto-learned sourcetypes since that means Splunk made assumptions about the sourcetype and those assumptions could be incorrect. Always specify a sourcetype in inputs.conf and have a stanza for that sourcetype in props.conf.
Can you help me on above one