hi deepashri,

Thank you. I already figured that re-indexing is only option but just thought to raise it over forums to check if there exists any alternate solution.

https://answers.splunk.com/answers/52755/timezones-timestamps-on-data.html?utm_source=typeahead&utm_...

@deepashri_123 : A query related to re-indexing - We are using Splunk SaaS big setup here as per client's Application need. The logs from application servers are getting mounted via filers (autofs) to a separate server where UF is installed. From those mounted filers the UF fetch and forward the data to Splunk Cloud Indexer.
Now the twist here is that, all the data (logs, zip, etc) inside those filers mount are rolling data. By that i mean , it gets deleted after certain period of time and replaced with new files.
In this case, could you please suggest how any kind of re-indexing option would work? (be it cleaning fishbucket/crcSalt/initCrcLength/btprobe).

Since the data is not available can you try following options
1. Export raw data for the time period the TZ was wrong and reindex again.
2. Also you can try converting TZ in search time(Needs to be tested)

You can refer the link below:
https://answers.splunk.com/answers/224134/force-displayed-timezone-in-results-to-be-utc-not-1.html#a...
https://answers.splunk.com/answers/241917/timezone-conversion-function.html

@deepashri_123 Thanks. But I don't think that's going to be convenient, as said we are using Splunk Cloud environment here and have no access to Splunk Cloud part i.e. Indexer, Searchhead etc.
Only access we have is of Universal Forwarders.
Also its a big environment and to ask for rawdata, will have to raise support case to Splunk Cloud people. Not sure how they will react to it.

To convert timezone at search time you don't need access to search head cli, you need to convert it in search time.

Refer this link:
https://answers.splunk.com/answers/241917/timezone-conversion-function.html
https://answers.splunk.com/answers/135380/eval-to-find-current-time-in-another-timezone.html