@woodcock I tried your config by creating the sourcetype directly on splunk cloud but it isn’t working, 

timestamp is still getting rounded in the event instead of accurately displaying the timestamp with milli seconds.

Hi

have you try %3Q instead of %3N? Probably doesn’t help, but maybe worth for try?

r. Ismo

I am just keeping the sourcetype to test for testing purposes on my stand alone test server, I have applied the below props and i am still getting the error:

couldnot use strptime to parse timestamp from "2023-04-07 11-37-39.354"

Failed to parse timestamp, defaulting to file modtime.

these logs are already being indexed and sent to splunk cloud, we have an on prem HF in place.

is it possible to extract the timestamp from the event directly and apply it to timestamp field at search time?

I used the below search but still my timestamp is getting rounded 

index="abc" sourcetype="test"
| rex "\["BS"\":\"(?<event_time>\d{4}-\d{2}-\d{2} \d{2}-\d{2}-\d{2}\.\d{3})\""
| eval timestamp=strptime(event_time,"%Y-%m-%d %H-%M-%S.%3N")

for ex: "2023-04-07 11-37-39.354" is rounded to 4/7/23 11:37:40.000 AM under Time column in search.

@gcusello It didn’t worked, timestamp is getting rounded to nearest second

Hi @Roy_9,

it's really strange: because timestamp extraction doesn't round, it reads the time and assign it to the timestamp; then, if you used %3N, it should take the milliseconds.

Could you share your props.conf?

Ciao.

Giuseppe

The TIME_PREFIX handles regular expressions so the double quote should not need escaping.  Having said that there is no harm in escaping the double quote.

Also, it does not look like standard JSON format to me so I doubt Splunk would handle it, as it would fail to parse it as JSON.  

@yeahnah I tried your config by creating the sourcetype directly on splunk cloud but it isn’t working, 

timestamp is still getting rounded in the event instead of accurately displaying the timestamp with milli seconds.