Solved: Re: could not use strptime to parse timestamp from...

mah · ‎02-08-2021

Hi,

I have a problem with the timestamp of my logs which is the same for all event whereas it must be one event each minute.

I can also see a "none" in timestamp field :

here some events raw :

{"dimensions": ["CLOUD_APPLICATION_NAMESPACE", "CLOUD_APPLICATION_INSTANCE_DEPLOYMENT_TYPE_KUBERNETES_STATEFUL_SET"], "metricId": "builtin:cloud.kubernetes.namespace.memoryRequests", "timestamp": 1612807800000, "value": 6144000000.0}
{"dimensions": ["CLOUD_APPLICATION_NAMESPACE", "CLOUD_APPLICATION_INSTANCE_DEPLOYMENT_TYPE_KUBERNETES_STATEFUL_SET"], "metricId": "builtin:cloud.kubernetes.namespace.memoryRequests", "timestamp": 1612807740000, "value": 6144000000.0}
{"dimensions": ["CLOUD_APPLICATION_NAMESPACE", "CLOUD_APPLICATION_INSTANCE_DEPLOYMENT_TYPE_KUBERNETES_STATEFUL_SET"], "metricId": "builtin:cloud.kubernetes.namespace.memoryRequests", "timestamp": 1612807680000, "value": 6144000000.0}
{"dimensions": ["CLOUD_APPLICATION_NAMESPACE", "CLOUD_APPLICATION_INSTANCE_DEPLOYMENT_TYPE_KUBERNETES_STATEFUL_SET"], "metricId": "builtin:cloud.kubernetes.namespace.memoryRequests", "timestamp": 1612807620000, "value": 6144000000.0}
{"dimensions": ["CLOUD_APPLICATION_NAMESPACE", "CLOUD_APPLICATION_INSTANCE_DEPLOYMENT_TYPE_KUBERNETES_STATEFUL_SET"], "metricId": "builtin:cloud.kubernetes.namespace.memoryRequests", "timestamp": 1612807560000, "value": 6144000000.0}
{"dimensions": ["CLOUD_APPLICATION_NAMESPACE", "CLOUD_APPLICATION_INSTANCE_DEPLOYMENT_TYPE_KUBERNETES_STATEFUL_SET"], "metricId": "builtin:cloud.kubernetes.namespace.memoryRequests", "timestamp": 1612807500000, "value": 6144000000.0}

here is my props.conf (apply on the Heavy forwarder and not the search head) :

[my_sourcetype]
SHOULD_LINEMERGE = false
TIME_PREFIX = timestamp
TIME_FORMAT = %s%3Q
TRUNCATE = 999999
MAX_EVENTS = 10000

Can you tell me what is wrong ?

mah · ‎02-09-2021

Hi @richgalloway ,

I get the answer and it is completely my fault !

There were a mistake in the name of the sourcetype in my inputs.conf ....

Now there is no more "none" value and the TIME_PREFIX is well applied.

Thanks for your help anyway !

View solution in original post

richgalloway · ‎02-08-2021

They may not help, but try these settings.

[my_sourcetype]
SHOULD_LINEMERGE = false
TIME_PREFIX = timestamp":
TIME_FORMAT = %s%3N
TRUNCATE = 999999
MAX_EVENTS = 10000
MAX_TIMESTAMP_LOOKAHEAD = 15

---
If this reply helps you, Karma would be appreciated.

mah · ‎02-09-2021

hi @richgalloway ,

Thanks to your reply but it does not work at all ... the value none is still in addition in the timestamp field and the parsing is not applied :

new props. conf with your modification :

SHOULD_LINEMERGE = false
TIME_PREFIX = timestamp":
TIME_FORMAT = %s%3Q
MAX_TIMESTAMP_LOOKAHEAD = 30
TRUNCATE = 999999
MAX_EVENTS = 10000

the result :

the _time is still the indexing time...

Can you see another solution please ?

Perhaps the format of my logs ? the values of the timestamp is not in quotation marks, is this cause this problem ?

mah · ‎02-09-2021

Hi @richgalloway ,

I get the answer and it is completely my fault !

There were a mistake in the name of the sourcetype in my inputs.conf ....

Now there is no more "none" value and the TIME_PREFIX is well applied.

Thanks for your help anyway !

could not use strptime to parse timestamp from "" timestamp

metrics

troubleshooting

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...