I'm using a Splunk 6.3.1 Universal Forwarder for Windows to forward a custom event viewer log to a Splunk indexer. Works fine except the timestamps do not have millisecond precision. I used a tcp sniffer to confirm the Windows outbound 9997 packet does not have the milliseconds ( 01/12/2016 06:52:48 PM ). Using Windows Event Viewer, I can look at the same EventRecordID event properties and see the millisecond detail IS available ( TimeCreated [ SystemTime] 2016-01-12T23:52:48.196341700Z ).
Is there a configuration setting for the Forwarder I can make to send the timestamps with milliseconds?
... View more