I'm not sure Splunk can deal with both microseconds and milliseconds.

I love precision just as much as the next guy, but do you NEED the microseconds? Or would you be happy enough with the milliseconds? Or seconds?

If I understand your time format correctly, it really says 23:57:02:019020

That's 19 milliseconds and another 20 microseconds. So there are no leading zeros in your timestamp format, for either ms or us, right?

If that is the case, I'd either

a) be happy with SECONDS. Skip everything after %H:%M:%S in your TIME_FORMAT
or
b) change the log format at the source. Leading zeros... you gotta have those.

UPDATE:

If you do not really need the events to be indexed at the correct millisecond, there is no need to try to fix any conversion at all (i.e. frame_no * 40 = ms). If I understood you correctly, you want to have the frame number as part of the timestamp, correct?

Would it then be possible to pretend that the frame number is actually the fraction of a second? Ending the TIME_FORMAT= with ...%M:%S:%2N+ lets Splunk believe that the frame number value is in hundredths of a second.

Looking at the events, especially in a timeline format, would obviously be wrong, since no events would ever come in between .25 and .99 of any given second - but you'd know this. Precision would still be pretty good for most intents and purposes, and you'd be indexing events on year-month-day-hour-minute-second-frame.

UPDATE2:

The 'solution' suggested above require that frames are written with leading zeros, i.e. the first frame is logged as '01' and not '1'. If not, there will be no distinction between frames 1 and 10, and frames 2 and 20. The rest should be fine. Forgot to mention that in my previous post. Sorry.

Maybe this approach is too much of cutting corners, but please let us know what you think.

hth,

Kristian

How is it not working? Time is completely wrong, or almost correct but not catching the milli/microseconds?