@Runals I think this will work out--I want to change whenever the host is 10-201-- TZ to UTC time.

[host::ip-10-201-38-20]
TZ=US/UTC-----------------------is this correct?

@jkat54 I think this will work out--I want to change whenever the host is 10-201-- TZ to UTC time.

[host::ip-10-201-38-20]
TZ=US/UTC-----------------------is this correct?

I believe that will make the time zone for all logs from that host UTC which likely isn't what you want to do. Do you have instances where the logs for the same sourcetype but different hosts are configured to log in different timezones?

Yes I want to change all logs from that host @Runals....NO i don;t have it

@Runals That stanza is correct or not? because i didn't see any changes in _time

the time/date settings are set upon ingestion and will only affect newer data from this host. Also I think you want to set it to US/EDT instead as from what I can tell you want it to be eastern timezone and it's currently GMT... again from what I can tell.

If you set it to US/UTC its seemingly the same timezone it's already applied.

The format of the stanza looks correct but depending on the version of Splunk you have you might have to restart the indexer(s). The data that has already been ingested is set. Setting the timezone will only impact new data.

You could also add 4 hours in splunk search prior to any statistical analysis:

... | eval _time=_time+14400

I did that eval _time=_time+14400...but the problem is when you set the Timerangepicker as Today---you can't get the data between 12AM-4AM bcoz of date changes. Whatever the data I'm getting after 4AM i'm changing _time by using above search

Runals has the better answer here. Please see his answer and let us know if there are any issues after implementing that.