That does mean incorrect timestamp parsing. Please review the timestamp parsing related parameters (refer to the document that I mentioned in my answer) for your data's sourcetype in the props.conf

It does not have to mean incorrect time parsing. As far as I can see, there is more than one time-related field whereas _time can be parsed obviously from only one from them. It's up to @Dalidavinci_Wor 's team to decide which field is most important and should indeed be used as _time value in the events.

With the other fields - you can filter on them (they might need strptime()-ing if they're not properly calculated from the event as they are) but you have to do it explicitly using "| where" condition and have to remember that the timepicker or earliest/latest parameters for the search only limit _time field, not any other field that might contain a timestamp value. So the limits might be completely unrelated. You might get - with a search for last 15 minutes - events pertaining to something that - for example started long ago (like a created_date for a ticket which was created a year ago but changes status 5 minutes ago so you have an event from 5 minutes ago but the ticket's timestamp included in the event would be from a year ago).

So does this  still go back to  changing the below?

" data's sourcetype in the props.conf"

Or can I run a query where created date or created_date is less than 2 days? 

Presntly I have the below:

index="storage_vmax" sourcetype="dellemc:vmax:rest" type=ARRAY severity = FATAL
|search (severity!=NORMAL AND severity!=INFORMATION)
| stats count by _time,source,created_date,reporting_level,severity,asset_id,array_id,type, state,description

Depends whether you do have multiple timestamps in your logs or not. If your events contain only a single timestamp, it should be parsed into the _time field. This way you can easily limit your search using earliest/latest conditions or timerange picker.

But if your events do have another field which is parsed into _time and additionally have this created_date field, you must limit that created_date in a different way.

The first part of your search stays mostly the same (the question is if your severity field is multivalue or single valued because you're already searching only for severity=FATAL so there's not much point of filtering out the NORMALs and INFORMATIONs unless you have multivalued field).

index="storage_vmax" sourcetype="dellemc:vmax:rest" type=ARRAY severity = FATAL

Then you have to parse a timestamp from your created_date field

| eval cdate=strptime(created_date,"appropriate format for your date")

See the https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Commontimeformatvariables article for the format variables to use depending on your date format in the created_date field

Then you can limit your search only to those events where this timestamp is bigger (not earlier than) now() - your desired interval. For example, for getting only last 24h of events you'd use

| where cdate>= now()-86400

And now you can do your stats

| stats count by _time,source,created_date,reporting_level,severity,asset_id,array_id,type, state,description

The caveat in this solution is that since your created_date is unrelated to the _time field, you might have to look from a bigger timerange to make sure to get all events containing your desired created_date values.