Re: could not use the strptime to parse timestamp ...

rashid47010 · ‎02-27-2019

error message: Could not use strptime to parse timestamp from "[00:00:00.015".

Event:
[00:00:00.015] [DEBUG] [xxxxxnitor_xxx-6] [xxxx:] com.gxxxe.vxxxg.dxx.jxxx.Ix expireTime=Sat Feb 23 23:45:00 AST 2019

props.conf
Timestamp format: \d{2}:\d{2}:\d{2}.\d{3}
Timestamp prefix:
Lookahead: 13

vsingla1 · ‎09-17-2019

@rashid47010 Splunk docs clearly state that:
If you don't set TIME_PREFIX but you do set TIME_FORMAT, the timestamp must appear at the very start of each event; otherwise, Splunk software will not be able to process the formatting instructions, and every event will contain a warning about the inability to use strptime.
So, I see that currently you have set TIME_PREFIX to empty string. considering your event, I would recommend to add TIME_PREFIX=^[
and TIME_FORMAT as %H:%M:%S.%3N.

TIME_PREFIX = ^\[
TIME_FORMAT = %H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD = 12

I hope that helps.

nickhills · ‎03-05-2019

There are a few answers which are 'close' and I think some contributors thought you were trying to use the expire time, however assuming you want the beginning timestamp, the format you need should simply be:

TIME_FORMAT = %H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD = 13

You should be aware that the time it takes between the event being generated, and the time until Splunk processes these messages could affect the timestamping.
Since your event does not include the date, Splunk will assume 'today' when it parses the TIMEstamp. You should keep an eye on these sources to make sure the queues don't fill up, because the risk if you have indexing delays is that messages from 'yesterday' could be DATEstamped as 'today'. (Around midnight being the obvious time for confusion)

Its not always possible, but if you have any control over the log format, it would be very beneficial to include a date in the event along with the time.

If my comment helps, please give it a thumbs up!

damann · ‎03-05-2019

Try the following:

TIME_FORMAT = %H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD = 13
TIME_PREFIX = \r\n\[

nickhills · ‎03-05-2019

If you set TIME_PREFIX, the MAX_TIMESTAMP_LOOKAHEAD starts after the prefix match - so technically you should therefore adjust the look ahead to 12 instead of 13. In this case prefix is probably not necessary because the timestamp will always be in the first 13 chars of the event.

If my comment helps, please give it a thumbs up!

rashid47010 · ‎03-04-2019

my event starts from [ 09:34:09.584]

[09:34:09.584] [DEBUG] [WebContainer : 3] [User:14xx7] com.gide.vmxxg.xx.xx.axxxation.ixxerceptors.VxxsFrontControllerInterceptor - Response SOAP:
Blockquote

lakshman239 · ‎03-04-2019

Do you not have any date fields?

rashid47010 · ‎03-04-2019

no there is no date filed. He is taking file date.

lakshman239 · ‎02-28-2019

Assuming Sat Feb 23 23:45:00 AST 2019 as timestamp, as rest of them do not have dates. You can use this.

https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Configuretimestamprecognition

[your_sourcetype]
TIME_PREFIX = expireTime=
TIME_FORMAT = %a %b %d %H:%M:%S %Z %Y
MAX_TIMESTAMP_LOOKAHEAD = 30

tiagofbmm · ‎02-28-2019

Here is what you should have:

SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
TIME_PREFIX=expireTime=\w{3}\s
TIME_FORMAT=%b %d %H:%M:%S %Z %Y
MAX_TIMESTAMP_LOOKAHEAD=24

Let me know

could not use the strptime to parse timestamp from "[xx:xx:xx.xxx"

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?