date_hour is an indexed field, so you can do this in your original query.
originial search date_hour>8 date_hour<16
The goal is to pull fewer events off the disk, and use the index wherever possible. If you can do it in the base query, then you can also use it as the query for an accelerated data model, which I'm guessing you'll want for your use case. Incidentally, I assumed that spelling each hour out with a bunch OR statements would have been more efficient, but it doesn't seem to make any difference. I think that's an improvement in recent years.
Is the reason for the timeframe to find "business hours"? The date_hour is UTC, so is not going to honor Daylight savings. Pad accordingly.
This would be a great use for an eventtype, then you can simply add to any query eventtype=businesshours . An eventtype does introduce some added load, since it is calculated any time you run a query against the events that the eventtype is configured to apply to, so for minimal load, use a macro. An eventtype is handy in other ways, of course, but it does introduce load.
... View more