Howdy again Kapilbk!
This could be happening because the you have yet to add the timezone to your props.conf file, the reason I came to this conclusion is the following:
You have a log A, let's name it "Log_from_India", whose events will be all in IST timezone, and a log B "Log_from_Brasil", which will have a timezone of GMT-3, in both scenarios you use the same sourcetype "log4j" (From what I saw in pic_1) that uses the Auto Extraction of timestamp by default, if you don't specify to Splunk what timezone do they come from, it will use the timezone of the local server where Splunk resides, so both Log_from_Brasil and Log_from_India will be indexed with the same timezone (In your case IST).
So returning to your example, even if your logs are from a place where the timezone is GMT, if you don't add any configuration to the sourcetype nor the default stanza that specify this, both events will be indexed as your local timezone, so your 4:36 AM GMT will be seen in Splunk as 4:36 AM IST and not 9:30 AM IST.
So if your logs from an Universal Forwarder come from a timezone that is different of your own, add in the sourcetype stanza the line TZ = TIMEZONE_FROM_YOUR_UF , for example:
TZ = Etc/GMT
I highly recommend as a good practice to create a new sourcetype where you can add this configuration, adding lines to the default stanza of props.conf can bring issues later on.
Regards!
... View more