Getting Data In

Could not use striptime to parse timestamp

Jackinout9
Loves-to-Learn

Having problem creating a props configuration

Seeing could not use striptime to parse timestamp.

Below logs comes from Docker 

("log":"[20:52:02] [/home/a153509/.local/share/code-server/extensions/ms-toolsai.jupyter-2022.9.1303220346]: Extension is not compatible with Code 1.66.2 . Extension requires: 1.72.0.\n","stream":"stderr","time":"2023-03-06T20:52:02.2194402152"}{"log":"[20:52:02] [ /home/a15 3509/.local/share/code-server/extensions/ms-python.vscode-pylance-2023. 1.10]: Extension is not compatible with Code 1.66.2. Extension req uires: 1.67.0.\n ", "stream":"stderr","time": "2023-03-06T20:52:02.219891147Z")("log": "[20:52:02] [\u003cunknown\u003e][80d9f7e6][ Extension HostConnection] New connection established.\n","stream":"stdout","time":"2023-03-06T20:52:02.604222684Z"){"log":"[20:52:02] [ \u003cunknow n\u003e][80d9f7e6][ExtensionHostConnection] \u003c1453\u003e Launched Extension Host Process. \n","stream":"stdout","time":"2023-03-06T20: 52:02.617643295Z"] ["log": "[IPC Library: Pty Host] INFO Persistent process "1": Replaying 505 chars and 1 size events\n","stream":"stdo ut", "time":"2023-03-06T20 :52:06.9 270320622"} ["log":"[IPC Library: Pty Host] WARN Shell integration cannot be enabled for executable \"/b in/bash and args undefined\n", "stream":"stdout","time": "2023-03-06T20:52:56.754368802Z"}{ log":"[20:57:00] [\u003cunknown\u003e][laf3f4 9a][ExtensionHostConnection] \u003c766\u003e Extension Host Process exited with code: 0 , signal: null.\n","stream"stdout", "time":"2023- 03-06T20:57:00 839578031Z"}"log" [02:12:50] [\u003cunknown\u003e][adf26d01 ][ManagementConnection] The client has disconnected, will wai t for reconnection 3h before disposing...\n","stream":"stdout, "time":"2023-03-07T02:12:50. 7892555182")("log":"[05:12:59] [\u003cunknown \u003e][adf26d01][ManagementConnection] The reconnection grace time of 3h has expired, so the connection will be disposed. \n", "stream ":"s tdout","time":"2023-03-07T05:12:59.567198587Z" log":[13:16:53] [\u003cunknown\u003e][adf26d01][ManagementConnection] Unknown reconnect ion token ( seen before) \n","stream":"stderr","time":"2023-03-07T13:16:53 2951627292")("log":"[13:16:53] [\u003cunknown\u003e ][80d9f7e6] [ExtensionHostConnection] The client has reconnected. \n","stream":"stdout", "time": "2023-03-07T13: 16:53.453120386Z")

 

 

Hers is my props.conf 

auto learned

 SHOULD LINEMERGE=false

LINE BREAKER=([\n\r]+)\s*("log":"{\n

 NO BINARY CHECK-true TIME PREFIX="time"

MAX TIMESTAMP LOOKAHEAD=48

TIME FORMAT=%Y-%m-%dT%H:%M:%S.9N%z

 TRUNCATE=999999

CHARSET=UTF-8

KV MODE=json

 ANNOTATE POINT=false

Labels (4)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

What do you mean by "could not use"?  What exactly is the problem you are having with it?  You are aware the function is pronounced "striptime", but is typed "strptime", right?  Please show the SPL you tried and the results it gave.  Also, your props.conf settings have no effect on the stptime function.

The LINE_BREAKER setting does not match the sample data.

LINE BREAKER = ()\s*("log":

should be enough.

The TIME_FORMAT setting doesn't match the example event.  It specifies the time zone offset rather than a time zone abbreviation.  Try 

TIME FORMAT = %Y-%m-%dT%H:%M:%S.9N%Z

The first timestamp in the example log has a different format.

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

Jackinout9
Loves-to-Learn

Hello @richgalloway 

I tried that configuration, which you suggested above.

Now I'll try to explain what the problem is..

We are trying to writing the props to onboard the docker logs.

The log like below 

("log":"[20:52:02] [/home/a153509/.local/share/code-server/extensions/ms-toolsai.jupyter-2022.9.1303220346]: Extension is not compatible with Code 1.66.2 . Extension requires: 1.72.0.\n","stream":"stderr","time":"2023-03-06T20:52:02.2194402152"}

 

While applying the props configuration it is showing some warning error like

Could not use strptime to parse timestamp from ""."[20:52:02][/home/a153509/.local/share/code-s".

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It looks like Splunk is treating "20:52:02" as a timestamp rather than looking the time field later in the event.  This usually means the TIME_PREFIX field is missing or is incorrect.  In the OP, the TIME_PREFIX setting was not on a line by itself, which I thought was an error in writing the message.  Please verify the setting is correctly placed in props.conf.

Avoid auto-learned sourcetypes since that means Splunk made assumptions about the sourcetype and those assumptions could be incorrect.  Always specify a sourcetype in inputs.conf and have a stanza for that sourcetype in props.conf.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Jackinout9
Loves-to-Learn

Hi @richgalloway 

Can you help me on above one

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...