According to doco: "The date_hour field ... is extracted from the event's timestamp (the value in _time)." Consider this test:
index=*
| eval hour=strftime(_time,"%H")
| eval shift=date_hour-hour
| stats count by shift index date_zone
| stats values(eval(index."-".count)) as sourcetype sum(count) as count by shift date_zone
| sort by -shift
The output is all over the map:
shift date_zone sourcetype count
17 local main-3550674
r-7006
sample-16093 3573773
16 local r-1572 1572
0 0 main-1158239 1158239
-7 local main-3817593
r-18887
sample-41819 3878299
-8 local main-1626
r-2839 4465
When I examine raw data closely, it seems that strftime(_time,"%H") reports the hour of day correctly.
Similar inconsistence exists in date_mday vs "%d".
↧