There are a couple of possible things going on here. If the forwarder in question is what's known as a heavy forwarder (that is, a full instance of splunk with an outputs.conf) it may be parsing the events (and handling event breaking) before it ever gets to the indexer.
Assuming that's not the case, I've heard it said that Splunk wants to capture both a date and a time with TIME_PREFIX, and if it can't, then it assumes it got the wrong answer and doesn't consider what it found to be a valid "_time", which is typically how the event boundary is determined.
I'd go with @somesoni2's answer above, as the quick way to fix the problem.
... View more