We have Splunk free version protected by IBM Tivoli Access Manager. SPlunk indexes the access logs from access manager. There are no logs in the system before Sep 2013 since system is just implemented. Whenever I run a search in Splunk for events e.g. from Feb 2013 onwards the my access gets logged in access manager log with following string
splunk/en-US/app/search/flashtimeline?q=search%20*&earliest=1360573200&latest=1384074000
Splunk indexes this as event occurred in Feb 2013 (as per my example above) and show this under Feb 2013 events while the actual timestamp in the log is todays date . Why Splunk is treating the above as Feb 2013 event and how to fix this issue?