Any chance of looking at the raw data, and/or wrapping the data into a makeresults SPL and/or simplify the data. It makes it a bit easier for people to pick the questions up and try different things with it.
The above query pulls back the last 4 hours worth of data but seems to pull data back from earlier in the year. Is there another time field in the data to account for this? So not using default _time field?
Looking at this some more I think the crux of the problem is grouping by month. As a starting point I've put together some SPL to show how to obtain the month from a timestamp then do a count by month.
The value generated in the _time will be a random time in the year 2018, as 1514764800 is epoch in seconds for the beginning of year 2018.