Hello Team ,

we have strange issue with the logs we receive from palo alto devices , we have app/addon installed and as i see props.conf file has time zone configured as TZ=GMT for these logs and devices who are sending logs are also in GMT only .

Now when i search logs in search head with real time windows it shows correct logs .

But if i select logs for last 4 hours 60 minutes etc . it shows alert where event time is delayed by 8 hours. that is last event it shows is 8 hours earlier.

when i select all time it will show current event from firewall for eg :- if current time is 2PM UTC then event shown is 2PM
and splunk user time it shows is 10 PM PST in the logs listed .

I am not sure what is wrong as sourcetypes are having TZ=GMT configured but still looks like splunk is adding 8 hours in it as my splunk servers are in pst.