I am extracting the timestamp from events in microseconds (%Y-%m-%d:%H:%M:%S.%6N). But when index event timestamp is not showing in sub seconds. Always I see zeroth subsecond in timestamp. Is there any overwritten possible other than by props?
I think this is just a question of how Splunk shows _time. Try something like this to see if it helps.
<YOUR BASE SEARCH> | convert timeformat="%Y-%m-%d %H:%M:%S:%6N" ctime(_time) AS c_time | table c_time
