https://community.splunk.com/t5/Splunk-Search/Does-date-hour-work-properly/m-p/118848#M184018 <P>I had this inconsistent behavior for appendcols as well. I replaced the appendcols with join and was able to get more consistent result with data in same format. Try below and let me know if it helped.</P> <PRE><CODE>sourcetype="access_combined_wcookie" (uri=/submitOrder) earliest=-7d@d latest=-6d@d | stats count as LastWeek by date_hour | join type=outer date_hour [search sourcetype="access_combined_wcookie" (uri=/submitOrder) earliest=@d latest=now | stats count as Today by date_hour] </CODE></PRE> Mon, 28 Oct 2013 23:51:43 GMT somesoni2 2013-10-28T23:51:43Z https://community.splunk.com/t5/Splunk-Search/Does-date-hour-work-properly/m-p/118847#M184017 <P>Hi,<BR /> I am getting order count today by hour vs last week same day by hour and having a column chart. This works fine most of the times but some times counts are wrong for the sub query. It looks like the counts are being shifted. For example, 9th hour shows 6th hour counts, etc. This does not happpen all the time but don't know why this happens some times. Any idea? </P> <P>sourcetype="access_combined_wcookie" (uri=<EM>/submitOrder</EM>) earliest=-7d@d latest=-6d@d | stats count as LastWeek by date_hour | appendcols [search sourcetype="access_combined_wcookie" (uri=<EM>/submitOrder</EM>) earliest=@d latest=now | stats count as Today by date_hour]</P> Mon, 28 Sep 2020 15:06:52 GMT https://community.splunk.com/t5/Splunk-Search/Does-date-hour-work-properly/m-p/118847#M184017 xvxt006 2020-09-28T15:06:52Z https://community.splunk.com/t5/Splunk-Search/Does-date-hour-work-properly/m-p/118848#M184018 <P>I had this inconsistent behavior for appendcols as well. I replaced the appendcols with join and was able to get more consistent result with data in same format. Try below and let me know if it helped.</P> <PRE><CODE>sourcetype="access_combined_wcookie" (uri=/submitOrder) earliest=-7d@d latest=-6d@d | stats count as LastWeek by date_hour | join type=outer date_hour [search sourcetype="access_combined_wcookie" (uri=/submitOrder) earliest=@d latest=now | stats count as Today by date_hour] </CODE></PRE> Mon, 28 Oct 2013 23:51:43 GMT https://community.splunk.com/t5/Splunk-Search/Does-date-hour-work-properly/m-p/118848#M184018 somesoni2 2013-10-28T23:51:43Z https://community.splunk.com/t5/Splunk-Search/Does-date-hour-work-properly/m-p/118849#M184019 <P>It could perhaps be due to the fact that the <CODE>date_*</CODE> fields are extracted as-is from the events, and do not take timezones into consideration (which <CODE>_time</CODE>) does.</P> <P>Thus you might be better off with extracting this information yourself with</P> <P><CODE>| eval hr=strftime(_time, "%H")|</CODE></P> <P>before the <CODE>stats</CODE> (in both inner and outer searches). Then use </P> <P><CODE>by hr</CODE> </P> <P>instead of </P> <P><CODE>by date_hour</CODE></P> <P>/k</P> Tue, 29 Oct 2013 00:25:17 GMT https://community.splunk.com/t5/Splunk-Search/Does-date-hour-work-properly/m-p/118849#M184019 kristian_kolb 2013-10-29T00:25:17Z https://community.splunk.com/t5/Splunk-Search/Does-date-hour-work-properly/m-p/118850#M184020 <P>Thank you. It seems to be working fine. I have to wait few days to see if i get the behavior again. Thanks for your help.</P> Tue, 29 Oct 2013 03:52:38 GMT https://community.splunk.com/t5/Splunk-Search/Does-date-hour-work-properly/m-p/118850#M184020 xvxt006 2013-10-29T03:52:38Z https://community.splunk.com/t5/Splunk-Search/Does-date-hour-work-properly/m-p/118851#M184021 <P>Hi Kristian, Thanks for your suggestion. I tried it and it showed the same behavior. Looks like it is due to appendcols as per below answer.</P> Tue, 29 Oct 2013 03:53:48 GMT https://community.splunk.com/t5/Splunk-Search/Does-date-hour-work-properly/m-p/118851#M184021 xvxt006 2013-10-29T03:53:48Z https://community.splunk.com/t5/Splunk-Search/Does-date-hour-work-properly/m-p/118852#M184022 <P>You have read the documentation for <CODE>appendcols</CODE>, right?</P> <PRE><CODE>Synopsis Appends the fields of the subsearch results to current results, first results to first result, second to second, etc. </CODE></PRE> <P>If there are no results for a certain time slot in either of the searches, the results would be shifted, as per documentation.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Appendcols">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Appendcols</A></P> <P>/K</P> Tue, 29 Oct 2013 07:02:49 GMT https://community.splunk.com/t5/Splunk-Search/Does-date-hour-work-properly/m-p/118852#M184022 kristian_kolb 2013-10-29T07:02:49Z