Hi All,

I am trying to built the parsing stanza for one of the data, while testing I am getting an pop-up message stating that "could not use the strptime to parse timestamp from “2022-26-05T11:29:57”.

  As soon as I apply the Time_Format stanza the Splunk is throwing the message.  I am not sure what I am missing here.  so could you please help me resolving this issue.

Event details:

<Event CompactMode="1" sEventType="OpResult" dwBasicEventType="9" dwAppSpecificEventID="5000" sEventID="EVENT_ID_SCHEDULER_STARTED" sOriginatingApplicationName="RED Identity Management Console" sOriginatingApplicationComponent="Scheduler" sOriginatingApplicationVersion="5.5.3.0" sOriginatingSystem="XXXXXXXXXXXXX" sOriginatingAccount="XXXX\XXXXX" dtPostTime="2022-26-05T11:29:57" sMessage="RED Identity Management Console (running as user XXXX\XXXXX) on system XXXXXXXXXXXXX; - background processor started"/>

Props stanza

SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\<Event
NO_BINARY_CHECK=true
TIME_PREFIX=dtPostTime\=\"
TIME_FORMAT=%Y-%m-%dT%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD=20

Event Details:

[5/26/2022 4:09:55 PM UTC] Note: Unknown provider type; cannot verify object name 'tbl_BaseJobInfo' valid for data store.

Props.conf

SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\[\d+\/\d{2}\/\d{4}\s\d+\:\d{2}\:\d{2}\s[^\]]+\]
NO_BINARY_CHECK=true
disabled=false
TIME_PREFIX=^\[
TIME_FORMAT=%m-%d-%Y %I:%M:%S %p %s
MAX_TIMESTAMP_LOOKAHEAD=25