I have a firewall that is sending the logs using UTC time. Actually all of our Network devices send the data using UTC. I extracted the fields of the log file because it’s separated by commas. The problem that I am having is that the Splunk server is using EDT (-4 from UTC). So when I do searches and If I select last 60 minutes or anything relative it shows the logs from 4 hours ago instead of the logs that happened from 60 minutes to now. This is the only device on my network having this problem in Splunk. I am a power user not the administrator because of how roles are separated where I work. I tried changing the DATETIME_CONFIG in the sourcetype to CURRENT in the sourcetype settings but still when conducting the searches it collects the data using UTC and doesn’t show the latest data. I have been getting away by always remembering to change the exact time window and adding 4 hours. In order to get my dashboards to present the right time I have to to use the time picker but it’s starting to get annoying. It has happened as I have been troubleshooting forgetting to change the time and going crazy as I am not able to find the correct traffic data. To pinpoint the problem. As I said earlier, I am not an administrator I am a power user only. So I do not have access to the syslog_ng server that collects the syslog data and forwards to the search head server. And I do not have access to the search head server, so I cannot change the props.conf file as I have seen people recommend. I am only able to make changes in the Splunk web portal. Any help is appreciated.  ... View more