Getting Data In

could not use strptime to parse timestamp

riqbal47010
Path Finder
Feb 18 18:36:20 smtp2 sm-mta[17872]: l1J0a3fO017872: discarded

I have one sample event. when I this it gives me "could not use strptime to parse timestamp" error. picture as attached.

below is my sample props.conf

alt text

[ email_log ]
BREAK_ONLY_BEFORE=\w+\s+\d+\s+\d+:\d+:\d+
CHARSET=AUTO
MAX_TIMESTAMP_LOOKAHEAD=15
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TIME_FORMAT=%a %d %H:%M:%S
disabled=false
pulldown_type=true

Labels (1)
Tags (1)
0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

Your TIME_FORMAT is wrong. You have %a which represents day of week, but in your log, it's showing the shorthand month which should be %b

Here's the correct format

TIME_FORMAT=%b %d %H:%M:%S

View solution in original post

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Your TIME_FORMAT is wrong. You have %a which represents day of week, but in your log, it's showing the shorthand month which should be %b

Here's the correct format

TIME_FORMAT=%b %d %H:%M:%S
0 Karma

riqbal47010
Path Finder

yes you are right.
My silly mistake..
the lab results are giving me below errors:

Data Onboarding – Default (empty) TIME_FORMAT (contrary to best practices).
- Data Onboarding – Default (empty) TIME_PREFIX (contrary to best practices).
- Data Onboarding – Default TRUNCATE; should have been set lower as a safety switch against bad data.
- Data Onboarding – LINE_BREAKER not up to best practices. As a reminder, the default is '([ ]+)', read as 'a capture group matching one or more new line or carriage return line feeds.' The goal is to enhance this, for this sample, by including extra information like the date stamp which signals 'not just a new line, but a new event'. Splunk treats the capture group like a 'hole punch' as the text to remove to separate events from one another within the file.

can you please support me with these.

0 Karma

to4kawa
Ultra Champion
BREAK_ONLY_BEFORE=\w+\s+\d+\s+\d+:\d+:\d+
SHOULD_LINEMERGE=true

this is not best practice.

SHOULD_LINEMERGE=false
LINE_BREAKER = ([\r\n]+)
0 Karma

riqbal47010
Path Finder

Sorry did not get your point. you are referring first point or 2nd point.
and whats about TIME_PREFIX and TRUNCATE. can you please advise on this as well

0 Karma

to4kawa
Ultra Champion
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...