Gravedigging for karma / answering questions left unanswered: This would be set in most cases on the receiving indexers props.conf. And you are very right, in no case should ../default/ be modified. Create a ../local/ or a whole new app if you'd like with a ../local/props.conf If all you do is modify a local props.conf by adding a sourcetype stanza with TZ, there's no requirement to restart splunk, it should detect that change on its own.
... View more
