When testing a schema with pantherlog, you get an error of the following form:
EventTime: DecodeTime: parsing time "..." as "...": cannot parse "..." as "...", error found in #10 byte of ...
To resolve this issue, please ensure that in the schema test YAML file, you specify the result's
p_event_time in the following format:
p_event_time: YYYY-mm-ddTHH:MM:SS.fff Z
For example, 2:45:18.545 AM on Nov 21, 2022 would be written as
If you encountered this error message as a classification failure in your custom schema, you can follow these steps to verify whether the format of the field matches the declared time format:
- Navigate to your custom schema and check how the affected timestamp has been declared.
For example, it might be declared as shown below:
- name: example_field type: timestamp timeFormats: - rfc3339
- Check the format of the field in the incoming raw event.
For example, if the value of the field is
"2023-07-28 16:46:15.000000000", then the parser is trying to match it to the time format RFC3339, which is not accepted for that specific value. As a result, the above error message appears.
- To correct this, please try using multiple time formats for the declaration of the field as shown below:
- name: example_field type: timestamp timeFormats: - rfc3339 - "%Y-%m-%d %H:%M:%S.%N"
A common mistake in pantherlog is to write the
p_event_time result in the same format as the input timestamp. However, Panther has strict rules on the formatting of
p_event_time, leading to the error as seen above.
This issue can also occur when the time format of a field doesn't match the declared time format in the schema.