There are a few possible explanations. Your selected time zone does not match the time zone of the system that produced the event. The time field in the event does not have a time zone indication so Splunk assumed the time is in the Splunk server's time zone. The time field in the event does have a time zone indicator, but the TIME_FORMAT attribute in props.conf does not account for it. The TZ attribute in props.conf is not set correctly. The clock on the originating system is incorrect.
... View more