Getting Data In

could not use the strptime to parse timestamp from "[xx:xx:xx.xxx"

rashid47010
Communicator

error message: Could not use strptime to parse timestamp from "[00:00:00.015".

Event:
[00:00:00.015] [DEBUG] [xxxxxnitor_xxx-6] [xxxx:] com.gxxxe.vxxxg.dxx.jxxx.Ix expireTime=Sat Feb 23 23:45:00 AST 2019

props.conf
Timestamp format: \d{2}:\d{2}:\d{2}.\d{3}
Timestamp prefix:
Lookahead: 13

Tags (1)
0 Karma

vsingla1
Communicator

@rashid47010 Splunk docs clearly state that:
If you don't set TIME_PREFIX but you do set TIME_FORMAT, the timestamp must appear at the very start of each event; otherwise, Splunk software will not be able to process the formatting instructions, and every event will contain a warning about the inability to use strptime.
So, I see that currently you have set TIME_PREFIX to empty string. considering your event, I would recommend to add TIME_PREFIX=^[
and TIME_FORMAT as %H:%M:%S.%3N.

TIME_PREFIX = ^\[
TIME_FORMAT = %H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD = 12

I hope that helps.

0 Karma

nickhills
Ultra Champion

There are a few answers which are 'close' and I think some contributors thought you were trying to use the expire time, however assuming you want the beginning timestamp, the format you need should simply be:

TIME_FORMAT = %H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD = 13

You should be aware that the time it takes between the event being generated, and the time until Splunk processes these messages could affect the timestamping.
Since your event does not include the date, Splunk will assume 'today' when it parses the TIMEstamp. You should keep an eye on these sources to make sure the queues don't fill up, because the risk if you have indexing delays is that messages from 'yesterday' could be DATEstamped as 'today'. (Around midnight being the obvious time for confusion)

Its not always possible, but if you have any control over the log format, it would be very beneficial to include a date in the event along with the time.

If my comment helps, please give it a thumbs up!
0 Karma

damann
Communicator

Try the following:

TIME_FORMAT = %H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD = 13
TIME_PREFIX = \r\n\[
0 Karma

nickhills
Ultra Champion

If you set TIME_PREFIX, the MAX_TIMESTAMP_LOOKAHEAD starts after the prefix match - so technically you should therefore adjust the look ahead to 12 instead of 13. In this case prefix is probably not necessary because the timestamp will always be in the first 13 chars of the event.

If my comment helps, please give it a thumbs up!
0 Karma

rashid47010
Communicator

my event starts from [ 09:34:09.584]

[09:34:09.584] [DEBUG] [WebContainer : 3] [User:14xx7] com.gide.vmxxg.xx.xx.axxxation.ixxerceptors.VxxsFrontControllerInterceptor - Response SOAP:
Blockquote

0 Karma

lakshman239
Influencer

Do you not have any date fields?

0 Karma

rashid47010
Communicator

no there is no date filed. He is taking file date.

0 Karma

lakshman239
Influencer

Assuming Sat Feb 23 23:45:00 AST 2019 as timestamp, as rest of them do not have dates. You can use this.

https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Configuretimestamprecognition

[your_sourcetype]
TIME_PREFIX = expireTime=
TIME_FORMAT = %a %b %d %H:%M:%S %Z %Y
MAX_TIMESTAMP_LOOKAHEAD = 30

0 Karma

tiagofbmm
Influencer

Here is what you should have:

SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
TIME_PREFIX=expireTime=\w{3}\s
TIME_FORMAT=%b %d %H:%M:%S %Z %Y
MAX_TIMESTAMP_LOOKAHEAD=24

Let me know

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...