This is perhaps a bit old, but documentation indicates a few things that may be relevant (and a few that may not);
1) make sure that your TIME_FORMAT , TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD are correct.
2) From the docs on timestamp assignment - if preceding steps to determine the event time fails: 5. For file sources, if no date can be identified in the file name, Splunk uses the file's modification time. See http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps for more info. Your stated event timestamps seem to indicate that this is what happens.
3) CHARSET configuration should be in props.conf on the forwarder, NOT on the indexer, as per http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings . Failure to use the correct CHARSET may possibly cause your regexes to fail.
4) MAX_DAYS_HENCE should not play any part here.
5) on a side note - and this may not be relevant in your case, you might set the alwaysOpenFile parameter in inputs.conf to 1 on the forwarder. http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf
Hope this helps,
Kristian
... View more