The date_hour is a Splunk default field which have timestamp information in that as generated by their respective systems. These fields come over unmodified. the _time field is presented to the user the preferences for their local time zone for display purposes
https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Usedefaultfields
For example,
Assuming the Windows Server is in Pacific Standard time, and the user(me) is in Eastern time.
if the event occurred on the server at 07:37AM PST, then my time will show 10:37AM EST
So the code: *| eval date_hour = strftime(_time, "%H") will production the following output
_time = 10:37 AM
date_hour = 10
actual event time (which I want to display) = 07:37AM
So the code above merely shows the time value using the offset by the user. I want to see 07 in the date_hour field, like I would if syslog sent a record. The code does indeed create a date_hour field, but not the same date_hour which Splunk generates as a default field.
the date_* fields are only missing for Windows Events. They are visible for F5, Netscaler, and Cisco.
We have servers in all four time zones, and Hawaii.
Splunk Support tells me this unfortunately:
Unfortunately, the default date-time fields in Splunk doesn't work for Windows Event Logs as it uses API to ingest data rather the regular data ingestion pipeline.
The link below explains default fields:
https://docs.splunk.com/Documentation/Splunk/7.2.5/Knowledge/Usedefaultfields
... View more