Thanks it worked. however now with this, I will not be able to make _time (index time) = datetimeNEW correct?

you can use _time inside the strptime command...
eval datetimeNEW=strftime(strptime(_time, "%Y%m%d %H%M%S%3Q"), "%Y %m %d %H:%M:%S:%3Q")

sorry for confusion what I meant is that I don't want _time to be equal to index time (that's what splunk does right now) I want it to use my datetimeNEW as a _time.

well, once the data is indexed, we can not / should not update the timestamp "_time ".
maybe, if you update us the more clear info about your issue, there can be some workaround.

one more question, how can I make a small change in my datetimnew? something like eval eval newtime=datetimenew+4 hours?

from Ayn's answer at - https://answers.splunk.com/answers/103552/adding-seconds-to-time.html

_time is actually in epoch format, Splunk just converts the format automatically before showing it to you so that it's human readable. So, to add 4 seconds, just do eval _time=_time+4.

Note that this is purely a search-time operation - if you want to do this at index-time the problem is much more complex because functions for performing arithmetic etc are not available.

so, do the strptime/strftime conversions after adding the 4hrs to _time..
you can easily add 4 hours to _time like -
eval _time=_time+14400

thank, I did that, but however not getting results.
with eval newtime=datetimenew I see new field newtime in list but as soon as I add
eval newtime=datetimenew+14400 no results.

check these...
| eval newtime=_time+14400
| eval datetimeNEW=strftime(strptime(newtime, "%Y%m%d %H%M%S%3Q"), "%Y %m %d %H:%M:%S:%3Q")

or

| eval datetimenew_epoch = strptime('datetimenew', "%Y %m %d %H:%M:%S:%3Q")
| eval datetimeAdded = datetimenew_epoch + 14400
| eval datetimeResult = strftime(datetimeAdded,  "%Y %m %d %H:%M:%S:%3Q")

yes thanks! I just messed up with parentheses.