Hi,

The events displayed in Splunk Web seems to miss the Timestamp on events that have the same timestamp.
Please see the data below for details.

For example:
In my log file I can see 3 entries as follows:

18:24:21.809 582   Event1 - Logging Event 1
18:24:21.809 582   Event2 - Logging Event 2
18:24:21.809 582   Event3 - Logging Event 3

But in Splunk Web I see the following:

Event3 - Logging Event 3
Event2 - Logging Event 2
18:24:21.809 582   Event1 - Logging Event 1

It does seem like its stripping off the timestamps on events.

Can you please let me know how to fix this?

Props.conf:

SHOULD_LINEMERGE = false
LINE_BREAKER = (([\r\n]+)(\d{2}:\d{2}:\d{2}.\d{3})) | (([\r\n]+)(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}))
TZ = UTC
DATETIME_CONFIG = /etc/customDatetime.xml

customDatetime.xml

<datetime>
        <define name="_fromat1" extract="hour, minute, second, subsecond">
                <text>(\d{2}):(\d{2}):(\d{2}).(\d{3})</text>
                </define>
        <define name="_format2" extract="year, month, day, hour, minute, second, subsecond">
                 <text>(\d{4})-(\d{2})-(\d{2})\s(\d{1,2}):(\d{2}):(\d{2}),(\d{3})</text>
        </define>
        <timePatterns>
                 <use name="_fromat1"/>
                 <use name="_format2"/>
        </timePatterns>
        <datePatterns>
                 <use name="_fromat1"/>
                 <use name="_format2"/>
        </datePatterns>
</datetime>