The following query construct populates a summary index:
source=1.log OR source=2.log |
eval _time = case(source == "1.log", _time)|
stats
first(_time) as _time
….other fileds….
dc(source) as dc by id|search dc=2
The resolution _time of the time stamp for each source log is in milliseconds. Example : 2013-06-13 04:00:15,250
Question:
Why isn’t the resolution time in the summary index in mill. seconds (e.g., 2013-06-13 04:00:15 +0000)?
It appears milliseconds are dropped by the command that creates the summary index file - I'm going to file a bug. Case 123267
I'm experiencing the same problem, anything new about this bug ?
Thank you Jason.
Lp