Some very strange time fields for events are being indexed on Splunk by the CEM product that are 6 hours after the event actually happened.  

With Splunk the time zone offsets can be used to ensure that they correlate correctly when you search. 

Splunk can configure time zones based on the host, source, or source type of an event using the props.conf file in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/.

Details can be found "Configure timestamps" in the Splunk documentation. 

The "Configure timestamps" section covers the following topics: 

• Specify time zones for timestamps 
• How Splunk software determines time zones 
• Specify time zones in props.conf 
• Examples of time zone specification in props.conf 
• zoneinfo (TZ) database 
• Map timezone strings extracted from event data 
• Set the time zone for a user's search results