Could not use strptime to parse timestamp

stwong · ‎05-02-2012

Hi all,

I'm adding detail files from FreeRadius, which looks like following:

Wed May 2 10:28:04 2012
NAS-IP-Address = 192.168.193.67
User-Name = "a12345677"
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
[snipped]

I specified following in props.conf:

TIME_FORMAT=%a %b %d %H:%M:%S %Y
TIME_PREFIX=^

The Data Preview panel complains about "Could not parse strptime to parse timestamp", although it is still okay to identify individual records. I wonder if I make any mistake in the format string . Would anyone please help?

Thanks a lot.

goelli · ‎03-06-2017

Is there any news on this topic?
I have the same problem...

stwong · ‎03-09-2017

I left this question unchecked for long tims, as the time can be parsed correctly...

stwong · ‎05-02-2012

Same result after changing %d to %e.
Anyway, thanks for your help.

/ST

kristian_kolb · ‎05-03-2012

see update above. /k

kristian_kolb · ‎05-02-2012

You should change the %d (01-31) for a %e (1-31) in TIME_FORMAT.

UPDATE:
What are the values for timestartpos and timeendpos? Do they correspond to where your timestamp begins and ends? Those fields are automatically extracted, but to see them you may have to click the "View all XX fields" in the field picker on the left.

Perhaps you need to remove/change the TIME_PREFIX and specify a MAX_TIMESTAMP_LOOKAHEAD.

Please post a complete event, and what time splunk interprets, and the timestartpos and timeendpos.

Hope this helps,

Kristian

sdaniels · ‎05-02-2012

I didnt see that option...good to know.

Could not use strptime to parse timestamp

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes