Hello,
I'm looking for a way to capture the original timestamp value/format from various logs. Here are some of the first x characters of _raw and _time from different logs.

• WinRegistry - 01/29/2020 13:57:46.835 - 2020-01-29 13:57:46
• access_combined - 172.127.127.5 - - [29/Jan/2020:13:57:46 -0500] - 2020-01-29 13:57:46
• apache:error - [Wed Jan 29 13:36:35.220666 2020] - 2020-01-29 13:36:35.220
• Perfmon:Network - 01/29/2020 14:00:14.172 -0500 - 2020-01-29 14:00:14
• linux:audit - type=PATH msg=audit(1580322995.244:18661773) - 2020-01-29 13:36:35.244
• WinEventLog - 01/29/2020 01:39:08 PM - 2020-01-29 13:39:08.000
• WinHostMon - Type=Process new line Name="splunk-winhostinfo.exe" new line ProcessId=10472 new line - CommandLine="C:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe" new line StartTime="20200129134140.479764-300" - 2020-01-29 13:41:40.000
• syslog_nohost - Jan 29 13:48:28 - 2020-01-29 13:48:28.000
• catalina_server - [29/Jan/2020:13:49:55] - 2020-01-29 13:49:55.000
• Unix:UserAccounts - Wed Jan 29 13:53:50 EST 2020 - 2020-01-29 13:53:50.000

As you can see, in some cases _raw uses millisecond, but _time doesn't; and vice versa.

Thanks and God bless,
Genesius