HI @JonzOo, as I said probably the problem is that there's a wrong configuration of Timestamp. In other words you probably have in your logs a date in European format (dd/mm/yyyy hh.mm.ss), instead Splunk read it in American format (mm/dd/yyyy hh:mm:ss), infact Splunk correctly read your timestamp when day and month are the same or when there's non dubt (e.g. days greater than 12). So your logs are indexed with a wrong date (e.g. 1st of September is read as 9th of January). Verify your TIME_FORMAT or share an example of your log. If you want an help in this check you should share some log example to check your TIME_FORMAT. I hint to open  new question so it will possible for you to accept the answer. Ciao. Giuseppe ... View more