Yeah, I poked around with those regex settings, it fixed some of the problems, but there were still some oddnesses like this.
looking at the splunkd.log, I assume this is because the event is more than 2000 days old.
DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event
The TIME_FORMAT specified is matching timestamps (Fri Jun 18 14:48:58 2010) outside of the acceptable time window. If this timestamp is correct,
consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE
... View more