This is how my WebLogic logs look :
<TimestampUntilSeconds> <Fixed Number of Other tags here> <1369087465001> More data here
As you can see, they have a timestamp in the beginning, then they have some other information , then there's the time in milliseconds since 1970 and then there's the rest of the log.
Now, as expected, Splunk takes the first timestamp and ignores what appears to be a random number. But the timestamp is not accurate enough for me, so I would like to store the last three digits of the number as the milliseconds. How would I go about that?
There are several tools to use from http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition, most importantly in your case TIME_FORMAT to tell Splunk that it's looking for a unix timestamp, TIME_PREFIX to tell Splunk where to look, and MAX_TIMESTAMP_LOOKAHEAD to tell Splunk how far to keep looking after that.
There are several tools to use from http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition, most importantly in your case TIME_FORMAT to tell Splunk that it's looking for a unix timestamp, TIME_PREFIX to tell Splunk where to look, and MAX_TIMESTAMP_LOOKAHEAD to tell Splunk how far to keep looking after that.
Based on the old definitions yes, but you can tell Splunk to read milliseconds using %3N. See the above link (minus the comma) for reference.
Isn't a UNIX timestamp per definition accurate on the second? I need accuracy on the millisecond.