I have indexer in UTC+3 timezone and universal forwarder on syslog server in UTC+6 timezone. I tried to set up timezone recognition and set TZ = Asia/Novosibirsk in props.conf for [sourcetype::syslog].

But when I'm trying to search events (user which I use also has UTC+3) time setting I see UTC+6 time in _time field.

Please help me to fix this.