When testing a schema with pantherlog, you get an error of the following form:
EventTime: DecodeTime: parsing time "..." as "...": cannot parse "..." as "...", error found in #10 byte of ...
To resolve this issue, please ensure that in the schema test YAML file, you specify the result's p_event_time
in the following format:
p_event_time: YYYY-mm-ddTHH:MM:SS.fff Z
For example, 2:45:18.545 AM on Nov 21, 2022 would be written as 2022-11-21T02:45:18.545 Z
.
If you encountered this error message as a classification failure in your custom schema, you can follow these steps to verify whether the format of the field matches the declared time format:
Navigate to your custom schema and check how the affected timestamp has been declared.
For example, it might be declared as shown below:
- name: example_field
type: timestamp
timeFormats:
- rfc3339
Check the format of the field in the incoming raw event.
For example, if the value of the field is "2023-07-28 16:46:15.000000000"
, then the parser is trying to match it to the time format RFC3339, which is not accepted for that specific value. As a result, the above error message appears.
To correct this, please try using multiple time formats for the declaration of the field as shown below:
- name: example_field
type: timestamp
timeFormats:
- rfc3339
- "%Y-%m-%d %H:%M:%S.%N"
A common mistake in pantherlog is to write the p_event_time
result in the same format as the input timestamp. However, Panther has strict rules on the formatting of p_event_time
, leading to the error as seen above.
This issue can also occur when the time format of a field doesn't match the declared time format in the schema.