"1/20/11 4:13:55.000 AM" is what splunk intreprets when plotting the event against timeline and displaying the event for review, and 2002-01-01 is what actually recorded in the log (the time is because of time reset due to power outage)
My question is how splunk gets the time and how to reconcile the difference?
I think because the time from the log file was too far in the past Splunk discards it and instead uses "index" time - that is the time the event was indexed. I seem to recall reading this in the docs from previous version but can no longer find such a reference. Here is a good article though that may help you understand things a bit better - http://www.splunk.com/base/Documentation/4.2/Data/HowSplunkextractstimestamps
 - found the info here about timestamps in the past / future
Specifies the maximum number of days in the past, from the current date, that an extracted date can be valid.
For example, if MAX_DAYS_AGO = 10 then Splunk ignores dates older than 10 days from the current date.
Default is 2000.
Note: If you have data that is more than 2000 days old, increase this setting.
Specifies the maximum number of days in the future from the current date that an extracted date can be valid.
For example, if MAX_DAYS_HENCE = 3, dates that are more than 3 days in the future are ignored.
False positives are less likely with a tighter window.
If your servers have the wrong date set or are in a timezone that is one day ahead, set this value to at least 3.
Defaults to 2. This allows timestamp extractions that are up to a day in the future.