Discrepancy of the events from what shows in the Advance Threat Protection (ATP) Dashboard and what Splunk is getting.

ATP splunk forwarder's event gatherer component queries for all events within a window on 7 days. Anything reported after the 7th day window will not be pulled from public API. This is by design.