You can't change already indexed data in Splunk. You could mask the events with | delete to prevent them from showing up in future searches, then re-index the bad data with the TZ settings in place.
... View more
appears to be a bug in the rtrim() (also trim() ) function. Workaround is to use tostring() on the first argument:
| eval Hotel=tostring(HotelID) | eval Hotel=rtrim(tostring(Hotel),substr(Hotel,-2))
... View more
We have updated the 4.3 upgrade topic with this information, thanks for catching it! http://docs.splunk.com/Documentation/Splunk/latest/Installation/Aboutupgradingto4.3READTHISFIRST
... View more