We changed the TZ field from Asia/Shanghai to UTC.
The data that was indexed prior to the change has the "bad" splunk dates on it. Do we need to re-index or something? How can we reset those timestamps?
You can't change already indexed data in Splunk. You could mask the events with | delete to prevent them from showing up in future searches, then re-index the bad data with the TZ settings in place.
