Time is a bit hairy if it's not set correctly when data starts coming in. If you have the appropriate TZ specified in props.conf for your host/sourcetype, than anything coming in from the point the change was made will be "correct". All time math inside of splunk is done in epoch time, and therefore if your data came in, and splunk thought it was in UTC, than they have timestamps for whatever that timestamp is (allowing for TZ) in epoch time. Local TZ specifies how you want the time to be displayed along the "Time" column in the events window. You can change your TZ and see how things change (the "Time" value will change, but the timestamp in the raw events will not.
Sorrry to ramble a bit, but the way I approach it, if working with OS's set in different TZ's, I specify the correct TZ for hosts/sources based on whatever criteria I can align them with. Say you have hostnames starting with "SF" - as an example, meaning, they are in San Fran and some starting with: NY, than I would set the stanza as follows:
[host::SF*]
TZ = PST
or
[host::NY*]
TZ = EST
If they can be split by IP's or some other mechanism, use that. Hope this helps.
... View more