I need to populate a summary index with events from the original index that matches certain criteria. The original event has the time field in UTC and I think there may be some rule applied to it so that any normal search against using time range will return the correct result.

The problem is when the matching event got indexed to the new summary index, these summarized event is not taking the _time field value of the original index and instead storing the actual UTC time as the _time field; which causes any search against the summary index to be failing due to the time difference.

The summary index is populated using the normal scheduled search by enabling the summary index; I've also tried to use the "collect" command to populate the summary index and playing around with the addtime option and still have the same issue. Just to make it clearer, here's an example:

Original Event:
time data in _raw: 2018-10-18 04:31:04
_time field: 2018-10-18T15:31:04.000+11:00

Summary Event:
time data in _raw: 2018-10-18 04:31:04
_time field: 2018-10-18T04:31:04.000+11:00

Not sure what I'm missing here. Appreciate any input,