The following query construct populates a summary index:
source=1.log OR source=2.log |
eval _time = case(source == "1.log", _time)|
stats
first(_time) as _time
….other fileds….
dc(source) as dc by id|search dc=2
The resolution _time of the time stamp for each source log is in milliseconds. Example : 2013-06-13 04:00:15,250
Question: Why isn’t the resolution time in the summary index in mill. seconds (e.g., 2013-06-13 04:00:15 +0000)?