What is needed to change Splunk to only index using the System Date/Time? I have data indexed today with a date of 2030 and 2001.
Look at attributes MAX_DAYS_AGO and MAX_DAYS_HENCE in props.conf (where you define your sourcetype)
http://docs.splunk.com/Documentation/Splunk/6.4.0/Admin/Propsconf
MAX_DAYS_AGO = <integer>
* Specifies the maximum number of days past, from the current date, that an
extracted date can be valid. Splunk still indexes events with dates older
than MAX_DAYS_AGO with the timestamp of the last acceptable event. If no
such acceptable event exists, new events with timestamps older than MAX_DAYS_AGO
will use the current timestamp.
* For example, if MAX_DAYS_AGO = 10, Splunk applies the timestamp of the last
acceptable event to events with extracted timestamps older than 10 days in
the past. If no acceptable event exists, Splunk applies the current timestamp.
* Defaults to 2000 (days), maximum 10951.
* IMPORTANT: If your data is older than 2000 days, increase this setting.
MAX_DAYS_HENCE = <integer>
* Specifies the maximum number of days in the future from the current date
that an extracted date can be valid. Splunk still indexes events with dates
more than MAX_DAYS_HENCE in the future with the timestamp of the last acceptable
event. If no such acceptable event exists, new events with timestamps after
MAX_DAYS_HENCE will use the current timestamp.
* For example, if MAX_DAYS_HENCE = 3, Splunk applies the timestamp of the last
acceptable event to events with extracted timestamps more than 3 days in the
future. If no acceptable event exists, Splunk applies the current timestamp.
* The default value includes dates from one day in the future.
* If your servers have the wrong date set or are in a timezone that is one
day ahead, increase this value to at least 3.
* Defaults to 2 (days), maximum 10950.
* IMPORTANT: False positives are less likely with a tighter window, change
with caution.