The _time field is stored in Unix epoch format – ie in whole seconds
Here is a relevant post from /r/Splunk that goes into the format of bucket names (and Unix epoch timestamps) – https://www.reddit.com/r/Splunk/comments/osrcr6/is_splunk_the_best_option_for_storing_data/h6r8vw7
And the Docs.Splunk citation from that post: https://docs.splunk.com/Documentation/Splunk/latest/Indexer/HowSplunkstoresindexes#Bucket_naming_conventions
from User warren – Stack Overflow https://stackoverflow.com/questions/68838020/splunk-http-event-collector-why-does-my-time-field-have-000-milliseconds/68838375#68838375
via IFTTT