What is your Splunk webinterface set to, timezone wise? (see your account settings) The time displayed by Splunk will always differ from the timestamp in the raw event, if the timezone of the event is different from the timezone you use to view Splunk. Splunk will present the time value in your timezone, regardless of the timezone in the raw event. Assuming you view Splunk in GMT+7 You ingest data with 2018 Apr 10 15:42:03:735 GMT +0700 You tell splunk that data is in UTC timezone (which it isn't) Splunk will interpret the timestamp from the raw event as UTC (GMT) timezone and then add 7h to calculate the time value that Splunk displays to you (assuming you have Splunk web interface set to show in GMT+7). This results in a time value of 4/10/18 10:42:03.735 PM So unless there is something more at hand, I think you need to simply make sure splunk interprets the timestamps in your events correctly. So either set the TZ to the correct value, or update the TIME_FORMAT setting to also read the timezone from the event. ... View more