The value that actually goes into _time is in Unix epoch seconds.
It doesn’t matter what precision you look for with TIME_FORMAT= … it still only goes into _time in whole seconds.
If you want to keep the higher-resolution value for use elsehow, you’ll need to add a specific field extraction for them.
Since this is JSON, you can probably do the following in a search:
...
| eval timestamp=strftime('@timestamp',"%Y-%m-%dT%H:%M:%S.%6N"))
...
from User warren – Stack Overflow https://stackoverflow.com/questions/68636429/why-is-splunk-not-showing-miliseconds-for-json/68641595#68641595
via IFTTT