This has tripped up a few people (including myself) in the last couple of weeks, so I figured it would be worth pointing out. If you are working with old data (>5 years), you need to let Splunk know. The default value of MAX_DAYS_AGO (props.conf) is 2000 days, which works out to little over 5 years. If you use the preview feature of Splunk, you can see the issue right away.
But of course, thinking I was an Über Splunker, I bypassed the preview and spent the next 20 minutes trying to figure out what I did wrong. So let that be a lesson, use the data preview feature!…