I had some issues with is parsing JSON when there was white space in the event. When I removed all the white space it parsed correctly. Example (exaggerated for clarity):
{ "eventdata" : "some data" } --> did not parse correctly
{"eventdata":"some data"}--> parsed correctly
I was generating logs through the PowerShell cmdlet ConvertTo-Json $input
By adding the -Compress switch I have gotten Splunk to reliably index all events.
Not sure this is your issue, but worth as shot. Hope this helps!
... View more