And this is how Splunk web displays those two timestamps
11/12/10 2:38:32.000 AM
11/12/10 2:38:35.000 AM
I've tried to manually modify the source file to put a trailing 0 after the timestamp (to bring it to a millis format) and changed the regexes accordingly, but had no luck (after a full restart, too)
Anybody has an idea?