I have a Splunk search string. If I add earliest=10/05/2020:23:59:58, the search string still works. However, if I changed that to earliest=10/05/2020:23:59:58:01, I got an error message say invalid value "10/05/2020:23:59:58:01" for time term 'earliest'. Does that mean Splunk's earliest parameter's precision is to second only? I cannot find the answer in their documents.
Thanks!
Yes, earliest's precision is limited to "standard" Unix epoch time (ie the number of elapsed seconds since the dawn of Unix (arbitrarily set to 01 Jan 1970 00:00:01 (or, sometimes, 31 Dec 1969 23:59:59))) because the _time field holds whole-number seconds.
Splunk knows how to convert timestamps seen with more precision than mere seconds, but that does not mean _time natively holds them.
_time, and, therefore, anything that references it (like earliest) does not understand subsecond precision. For that, you will need to have another field that contains it in your event.
For millisecond search time, include timeformat=%m/%d/%Y:%H:%M:%S:%3N together with your earliest=10/05/2020:23:59:58:01.
