I believe unfortunately that the "%e" opption still winds up with two characters.
Though lot of python tutorials do not mention it, when the day number is less than 10
"%e" seems to front pad with a blank, where "%d" frontpads with a zero.
As is born out by the folowing ksh and python script content and output.

#----------------------

#!/bin/ksh

# ksh_date_with_d_and_e

# If current day of the month is greater than 9 then print date time out

# for the 9th of the month. Otherwise print out current date time

#

DAY=date +%e

if [ $DAY -gt 9 ]

then

let BACK=$DAY-9

else

BACK=0

fi

date -d "$BACK days ago" +"%y/%d/%m %k:%M:%S"

date -d "$BACK days ago" +"%y/%e/%m %k:%M:%S"

# END

SAMPLE OUTPUT:

11/09/12 10:50:15

11/ 9/12 10:50:15

#----------------------

#!/usr/bin/python

# python_date_with_d_and_e"

# Using hard coded date here

#

import time

t = (2011, 12, 9, 17, 3, 38, 1, 48, 0)

t = time.mktime(t)

print time.strftime("%y/%d/%m %k:%M:%S", time.gmtime(t))

print time.strftime("%y/%e/%m %k:%M:%S", time.gmtime(t))

# END

SAMPLE OUTPUT:

11/09/12 23:03:38

11/ 9/12 23:03:38

#----------------------

Unless splunk does something special for "%e" different than python or ksh,

it seems this would still not match for a single character day in date field

I have not had a chance to experiment further so is still conjecture on my part.