Y'all,

I have events from a windows eventlog and the application writes time with ms precision into the Message field of the event, along with other app data. So the Message field looks like:

Message=2022-05-05 22:34:11.756|lots|of|app|logging|pipe|seperated

matching the strftime format "%Y-%m-%d %H:%M:%S.%3N" 

I have this in my props.conf (There are no "quotation marks" around the message value in event)

[WinEventLog:RPA]
TIME_PREFIX = Message=
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))

But I still get all events tagged with the time (probably from the win event time) with second accuracy, not ms. I check that with a search like

index=my_app_events source="WinEventLog:MyApp" 
| convert timeformat="%Y-%m-%d %H:%M:%S.%3N" ctime(_time)
| table _time Message

Is it possible to have ms accuracy in _time (I saw somewhere that it was second granularity) or am I missing something else?

Thanks In Advance,

R.

P.S. For bonus points in some error cases the Message= field will contain error data with no timestamp. In such a case of course I want to fall back the the Windows Event timestamp