I've tried the maxspan=5s (even went to 24h). However, my audits look like this in splunk...
3/11/14 8:45:58.171 AM, type=SYSCALL, exe="/usr/bin/rm", uid=1001
3/11/14 8:01:00.000 AM, type=PATH, item=1, name="/etc/shadow"
3/11/14 8:01:00.000 AM, type=PATH, item=0, name="/etc"
These events are created in the audit.log almost instantly, but it looks like the _time is off for the events that are type=PATH.
... View more