Please provide a sample of an event (the very latest one you have would be great) so we can check how the timestamp looks.
Also a few quick questions:
1) When these logs were coming in can you estimate about how many per second came in? Hundreds per second? Dozens per minute? (Generalities like those are fine, I'm just using this information to help narrow down exactly when it stopped).
2) Is there any way to "create" a special log entry that you can identify WITHOUT using the time? For instance if it's a firewall log can you try going to certain IP you haven't visited before to generate a log entry for, like, http://199.2.2.4/ ? (Note I have NO idea what's at that site if anything!) Maybe try a known site with a silly string it in http://amazon.com/ROYROGERSHADAHORSE/
If you can do #2, please describe what you did, then pop into Splunk and search for that special string or IP you should have created over all time and see if it shows up?
IF SO please include that event here too!
... View more