Right so, in case it can help someone in the future, here are my findings.
As said, the syslog message does not contain the year. Then it happened that Splunk actually took the last part of the IP of the device (.18) and used it as the year (=2018) for some reason. I noticed that actually all my devices with IPs ending with .14 .15 .16 .17 and .18 had this problem.
One way to "solve" it is to use props.conf.
Solution 1
[host::(*.14|*.15|*.16|*.17|*.18)]
DATETIME_CONFIG = CURRENT
This is not really good because it replaces the timestamp with the time splunk receives the message if I am correct.
Solution 2
MAX_DAYS_AGO = 363
There is seems it keeps the timestamp of the syslog message and just set the year to 2019.
This is still pretty weird for me and looks more like a bug (???)
Any additional comment is welcome.
... View more