Issue

When trying to test an event in Panther against my custom schema the following error occurs:

"...unconverted string: "821", error found in #10 byte of ...|080041821"|..., bigger context ...|"2024-07-29 17:00:00.080041821"|..."

Resolution

To resolve this issue update the timeFormats of your timestamp fields to parse the timestamp values as nanoseconds (%N) instead of microseconds (%f) using the %N indicator i.e. the correct strftime expression for  the value 2024-07-29 17:00:00.080041821is "%Y-%m-%d %H:%M:%S.%N".

Cause

The timestamp 2024-07-29 17:00:00.080041821 contains nanosecond precision, represented by the last nine digits 080041821. The %f format specifier in the strftime function can only parse up to six digits for microseconds. As a result, when Panther attempts to convert the string 080041821 using the %f specifier, it cannot correctly interpret the last three digits (821), resulting in the "unconverted string" error.