I'm using an HTTP Event Collector to ingest Palo Alto logs from my syslog forwarders. Its using the raw endpoint: 'https://host:8088/services/collector/raw'

I'm using the Splunk_TA_paloalto to do sourcetyping and field extraction. it also does the time extraction which appears to work. However, my devices are in the pacific timezone and not UTC (don't ask why... I just can't fix it). So I create a local directory and a props.conf file in there that looks like:

-bash-4.2$ pwd
/opt/splunk/etc/master-apps/Splunk_TA_paloalto/local
-bash-4.2$ cat props.conf
[pan_log]
TZ = US/Pacific

[pan:traffic]
TZ = US/Pacific

Then I go to apply the cluster bundle and push the timezone changes to my indexers (this is an indexer cluster).

However, traffic still is received in the UTC timezone.  What am I missing? Why won't the indexers correct the time?

The Palo app takes in logs using the pan_log sourcetype. It then runs transforms to set the correct sourcetype to pan:traffic or whatever type (I'm testing with just traffic logs at this point). In theory, I think it should work with just the pan_log sourcetype as time extraction happens before transforms. But it isn't working. I also tried blocks for [source::http:myinput] but that did nothing as well.

What am I missing?

I'm also trying to change the TIME_FORMAT and override datetime.xml. That doesn't work either. Clearly I'm missing something.