Hi Kiran,

Not Possible.

The reason is: Your Uf will collect data in the Server timezone(windows),but when the data is forwarded to indexers,the timestamp of the data will be changed to that of indexers time.Later when you search that event from SH,it will change to your profile's Timezone.

so there is lot of changes to your event time,Now if you have the one instance,then you can convert the time to epoch and add/substract from the epoch time to get the instance time.But what if you have instances in multiple timeZone??
So it is better to have a common timezone(GMT) rather than the instance time.

Hi kiran331,

May not be the best answer, but at least an idea:
On the forwarder create a scripted input http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ScriptedInputsIntro that polls the current system time and puts it into a value of a field of your choice. This way you can index the time on the windows machine running the UF.

In Splunk Enterprise then need a scripted input or custom search command http://docs.splunk.com/Documentation/Splunk/latest/Search/AddthecustomcommandtoSplunk to poll/query a NTP server to be able to compare it with the time from the UF.

But, my advise would be a different approach.

Instead of hunting wrong times, why not check if NTP is configured on your windows machine? First configure NTP for all machines and then check if any of them are out of sync. Maybe this blog post can help https://blogs.technet.microsoft.com/heyscriptingguy/2015/05/27/powershell-time-sync-get-and-evaluate... ?

Sorry not a windows person, just trying to be helpful 🙂

Cheers, MuS