I have this issue as well but without the benefit of logs in GMT. My logs are multiple time zones in a single host, index, source, sourcetype combo. Here's an example: { [-] AppID: ElapsedSeconds: 0.694 seconds Event: RestCall Method: POST Request: { [+] } RequestLength: 371 RequestTimestamp: 16-Nov-2022 12:59:54 Response: { [+] } ResponseLength: 286 ResponseTimestamp: 16-Nov-2022 12:59:55 SequenceNumber: null ServiceName: ServiceURL: StatusCode: 200 StatusText: OK TimeZone: Asia/Shanghai UserID: UserIP: 127.0.0.1 UserName: }   In total there are about 85 different timezones logging here. Any idea how to get Splunk to recognize the timezone when not with the time stamp?  ... View more

Same problem here. UF configs were applied to our HF. Still a good answer 4yrs later. Thank you. ... View more

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usesummaryindexing Does summary indexing count against your license? Summary indexing data volume is not counted against your license, even if you have multiple summary indexes. All summarized data has a special default source type. Events summarized in a summary events index have a source type of stash. Metric data points summarized in a summary metrics index have a source type of mcollect_stash. If you use commands like collect or mcollect to change these source types to anything other than stash (for events) or mcollect_stash (for metric data points), you will incur license usage charges for those events or metric data points. ... View more