Issue

When testing a schema with pantherlog, you get an error of the following form:

EventTime: DecodeTime: parsing time "..." as "...": cannot parse "..." as "...", error found in #10 byte of ...

Resolution

To resolve this issue​​​, please ensure that in the schema test YAML file, you specify the result's p_event_time  in the following format:

p_event_time: YYYY-mm-ddTHH:MM:SS.fff Z

For example, 2:45:18.545 AM on Nov 21, 2022 would be written as 2022-11-21T02:45:18.545 Z.

 

If you encountered this error message as a classification failure in your custom schema, you can follow these steps to verify whether the format of the field matches the declared time format:

  1. Navigate to your custom schema and check how the affected timestamp has been declared.
    For example, it might be declared as shown below:

    - name: example_field
          type: timestamp
          timeFormats:
            - rfc3339
  2. Check the format of the field in the incoming raw event.
    For example, if the value of the field is "2023-07-28 16:46:15.000000000", then the parser is trying to match it to the time format RFC3339, which is not accepted for that specific value. As a result, the above error message appears.

  3. To correct this, please try using multiple time formats for the declaration of the field as shown below:

    - name: example_field
          type: timestamp
          timeFormats:
            - rfc3339
            - "%Y-%m-%d %H:%M:%S.%N"

Cause

A common mistake in pantherlog is to write the p_event_time result in the same format as the input timestamp. However, Panther has strict rules on the formatting of p_event_time, leading to the error as seen above.

This issue can also occur when the time format of a field doesn't match the declared time format in the schema.