I don't know what is causing this HOWEVER I do know that these fields are FAR less "interesting" than you think that they are. These fields are for DEBUGGING purposes; not for general use. They are leftovers of the timesamping and timezoning process and are PRE-NORMALIZED meaning that they are NOT for general use. If you do not believe me then run this search and see for yourself:

index=* OR index=_* date_hour=*
| eval real = strftime(_time, "%A %B %d %T %Y %z")
| rex field=real "^(?<real_wday>\S+)\s+(?<real_month>\S+)\s+(?<real_mday>\S+)\s+(?<real_hour>\d+):(?<real_minute>\d+):(?<real_second>\d+)\s+(?<real_year>\S+)\s+(?<real_zone>\S+)"
| table real* date*
| foreach  real* date* [ eval <<FIELD>> = lower(<<FIELD>>)]
| stats count count(eval(real_wday!=date_wday)) AS diff_wday count(eval(real_month!=date_month)) AS diff_month count(eval(real_mday!=date_mday)) AS diff_mday count(eval(real_hour!=date_hour)) AS diff_hour count(eval(real_minute!=date_minute)) AS diff_minute count(eval(real_second!=date_second)) AS diff_second count(eval(real_year!=date_year)) AS diff_year count(eval(real_zone!=date_zone)) AS diff_zone

Just think about it for a second. If you have a different personal Time zone setting than somebody else and you both run the same search for "yesterday", you are GUARANTEED to get different answers because the events brought back will be different AND because you are using date_* fields that are pre-normalized. NEVER use the date_* fields; always calculate your own.