We are seeing some very strange _time fields for events being indexed on Splunk by the CA CEM product that are 6 hours after the event actually happened? How can this be corrected?

With Splunk, if you index data from different time zones, you can use time zone offsets to ensure that they correlate correctly when you search. 

With Splunk you can configure time zones based on the host, source, or source type of an event using the props.conf file in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/.

Details can be found "Configure timestamps" in the Splunk documentation. 

The "Configure timestamps" section covers the following topics: 

• Specify time zones for timestamps 
• How Splunk software determines time zones 
• Specify time zones in props.conf 
• Examples of time zone specification in props.conf 
• zoneinfo (TZ) database 
• Map timezone strings extracted from event data 
• Set the time zone for a user's search results