... that would be true if you delete the csv file from splunk before you upload it. Do you?
If not, then splunk is probably only setting new timestamps on any "new" or "changed" records that it uploads, or records after the first new/changed one.
There's a fairly complete description of how timestamps work in this post -
https://answers.splunk.com/answers/148926/wrong-timestamp-of-csv.html
But the other part, not talked about there, is the old thing about fishbuckets and splunk already knowing what's in that file and where it left off.
If you set up the file with some kind of junk comment header record at the top, which changes daily, then when splunk ingests the file, it should mark all the records as new-ish, assuming I am interpreting the docs correctly.
... View more