According to some sources (including strftime.net) %e designates a month 1-12, and %m from 01-12, i.e. the difference is in the leading zero. Try to substitute the %m for %e in your TIME_FORMAT.

This might not seem relevant, since Splunk parsed the date OK, but having part of the timestamp parsed wrong, can lead to unpredictable results, and splunk may be looking at numerical values further into the message to find something it thinks is the correct time.

Check the values for timestartpos and timeendpos fields, which contain how far into the event (in bytes) splunk had to go to identify the timestamp.

UPDATE:
Please note that this will not affect already indexed events, just new ones coming in after the configuration change.

I guess that you are doing this through the web GUI, rather than through the config files, and I'm not really up to date on the new wizard-style "add data" thingy.

Yes, the space is supposed to be there. Somewhere in your file system there will be a file called props.conf where this setting ended up.

Look in either of the following locations;

$SPLUNK_HOME/etc/apps/search/local
$SPLUNK_HOME/etc/apps/launcher/local 
$SPLUNK_HOME/etc/system/local

$SPLUNK_HOME is the splunk installation directory, typically /opt/splunk on Nix-machines, and c:\program files\splunk on Windows

There you will find the name of your sourcetype inside square brackets, with the corresponding configuration parameters underneath, e.g.

[your_sourcetype]
TIME_FORMAT = %d/%e/%Y %H:%M:%S:%3N:

There will be other parameters as well, and the same configuration can be present in more than one of these props.conf files.

Please post the parameter value for TIME_FORMAT, along with a few lines of real log data (mask out ip-addresses, usernames etc if you need to).

Hope this helps,

Kristian