Hi Splunkers,
I want to know how does it take for splunk to index the data in subseconds? So I prepared the following configration file.
props.conf
[sampledata]
DATETIME_CONFIG = CURRENT
But in this time, Splunk add timestamps (in this case, system time) in seconds to each events. I know that we cannot use "TIME_FORMAT" option together with "DATETIME_CONFIG = CURRENT". And in default setting, index date (_indextime field) is also in second order.
How can we recognize there fields (_indextime and _time fileds) as values in subsecond order to calculate index time ?
Thank you for your help.