I have the same problem, and this started with the switch from summertime for me.
If I search for logs from 00:00 to 24:00 (earliest=-2d@d latest=-1d@d), I correctly get the logs in that timeframe.
When I want to split this time into 2 hour segments with span (either with |bucked span=2h _time or with |timechart span=2h count), the segments start at 23h. This means that my first and last segment only have data from one hour.
How come "span" uses a different time setting than earliest/latest?
My workaround (which needs to change every timechange) is the following:
| eval _time=_time+3600
| bucket span=2h _time
| eval _time=_time-3600
| stats count by _time
Not very elegant, but it works.
... View more