Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

could not use strptime to parse timestamp

riqbal47010
Path Finder
‎04-16-2020 07:01 AM 
Feb 18 18:36:20 smtp2 sm-mta[17872]: l1J0a3fO017872: discarded

I have one sample event. when I this it gives me "could not use strptime to parse timestamp" error. picture as attached.

below is my sample props.conf

alt text

[ email_log ]
BREAK_ONLY_BEFORE=\w+\s+\d+\s+\d+:\d+:\d+
CHARSET=AUTO
MAX_TIMESTAMP_LOOKAHEAD=15
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TIME_FORMAT=%a %d %H:%M:%S
disabled=false
pulldown_type=true

Labels (1)
Labels
Tags (1)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎04-16-2020 07:19 AM

Your TIME_FORMAT is wrong. You have %a which represents day of week, but in your log, it's showing the shorthand month which should be %b

Here's the correct format 

TIME_FORMAT=%b %d %H:%M:%S

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎04-16-2020 07:19 AM

Your TIME_FORMAT is wrong. You have %a which represents day of week, but in your log, it's showing the shorthand month which should be %b

Here's the correct format 

TIME_FORMAT=%b %d %H:%M:%S
0 Karma
Reply
Solved! Jump to solution

riqbal47010
Path Finder
‎04-17-2020 04:10 AM

yes you are right.
My silly mistake..
the lab results are giving me below errors:

Data Onboarding – Default (empty) TIME_FORMAT (contrary to best practices).
- Data Onboarding – Default (empty) TIME_PREFIX (contrary to best practices).
- Data Onboarding – Default TRUNCATE; should have been set lower as a safety switch against bad data.
- Data Onboarding – LINE_BREAKER not up to best practices. As a reminder, the default is '([ ]+)', read as 'a capture group matching one or more new line or carriage return line feeds.' The goal is to enhance this, for this sample, by including extra information like the date stamp which signals 'not just a new line, but a new event'. Splunk treats the capture group like a 'hole punch' as the text to remove to separate events from one another within the file.

can you please support me with these.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-17-2020 05:03 AM 
BREAK_ONLY_BEFORE=\w+\s+\d+\s+\d+:\d+:\d+
SHOULD_LINEMERGE=true

this is not best practice.

SHOULD_LINEMERGE=false
LINE_BREAKER = ([\r\n]+)
0 Karma
Reply
Solved! Jump to solution

riqbal47010
Path Finder
‎04-17-2020 05:36 AM

Sorry did not get your point. you are referring first point or 2nd point.
and whats about TIME_PREFIX and TRUNCATE. can you please advise on this as well

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-17-2020 05:58 AM

see
https://answers.splunk.com/answers/227121/what-is-the-difference-between-line-breaker-and-br.html

TIME_PREFIX no need
TRUNCATE do you have problem?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...