Just to clarify, _indextime is the time that the event passed through the indexing queue and was written to disk on the peer. Time of this will be denoted by the local indexing peers time, not the event time itself as logged on the UF.
This implies that if your timestamp config, timezones, or event system clocks are wrong, you will have a large delta.
That being said, there are some tell-tale signs that time zone configurations are wrong versus latency due to queue fill etc. As Murali288 and Dcarmack mentions, if all events have an even time spread delta of 3hours, this means there is a time zone configuration issue that should be looked at on the ingest / forwarder tier and set to match the indexing peer.
... View more