I'm using a Splunk 6.3.1 Universal Forwarder for Windows to forward a custom event viewer log to a Splunk indexer. Works fine except the timestamps do not have millisecond precision. I used a tcp sniffer to confirm the Windows outbound 9997 packet does not have the milliseconds ( `01/12/2016 06:52:48 PM`). Using Windows Event Viewer, I can look at the same EventRecordID event properties and see the millisecond detail IS available ( `TimeCreated [ SystemTime] 2016-01-12T23:52:48.196341700Z`).
Is there a configuration setting for the Forwarder I can make to send the timestamps with milliseconds?
↧
How to configure wineventlog on a universal forwarder to include milliseconds in event timestamps?
↧