Hi Kevin,
this is an excerpt from the docs:

To determine the time zone to assign to a timestamp, Splunk software uses the following logic:
1. Use the time zone specified in raw event data (for example, PST, -0800), if present.
2. Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.
3. If the forwarder and the receiving indexer are version 6.0 or later, use the time zone that the forwarder provides.
4. Use the time zone of the host that indexes the event.
Note: If you change the time zone setting of the host machine of your forwarder, you must restart the forwarder for the software to detect the change.

Check, if the event's timestamp contains a timezone. If you want to override that with your own, use the TIME_FORMAT setting to exclude the time zone from the timestamp. Since you want to index the same sourcetype from multiple time zones, bind the TZ settings rather to the host, not the sourcetype. That way you rule out that some settings on the indexer overrule your settings on the forwarder and you can keep it consistent. Please note that the time of the timestamp in the splunk UI will always be in the local timezone of the browser. So if I am at EST and the event is correctly indexed at 9:00 UTC, the UI would claim that the event was in fact at 4:00 local, assuming EST is UTC-5.
Oliver