QUESTION

How do I resolve ErrorMessage=Timestamp ' ' is not recognized when querying custom schema data in Data Explorer?

ANSWER

This happens when your custom parser sets one or more timestamp fields to an empty string. Panther expects timestamp fields to be either a valid timestamp or None. Empty strings can cause Data Explorer queries to fail.

Update your script parser so missing, invalid, or empty values are set to None:

def parse(log):
    fields = log.split(",")

    field_map = {
        "ReceiveTime": 1,
        "SerialNumber": 2,
        # ...add remaining fields as needed
    }

    parsed_fields = {}

    for field_name, index in field_map.items():
        if (
            index < len(fields)
            and fields[index] != "FUTURE_USE"
            and len(fields[index]) > 0
        ):
            parsed_fields[field_name] = fields[index]
        else:
            parsed_fields[field_name] = None

    return parsed_fields

If changing the parser does not resolve the error, create a new copy of the schema, detach the old schema from the log source, attach the new schema, and re-run the log collector to reprocess the data with the updated parser.