topic Re: bin and bucket command examples to practice in Deployment Architecture

bin and bucket command examples to practice

logloganathan — Sun, 15 Apr 2018 17:16:38 GMT

Could anyone please give bin and bucket command examples to practice

Re: bin and bucket command examples to practice

skoelpin — Sun, 15 Apr 2018 17:30:37 GMT

Most of the time I use bin is to bucket time into segments.

Any other time I use bin is to see how distributed data is. So it will follow the format below

| bin <FIELD> span=<SEGMENT_Size>

| bin _time span=1h

Re: bin and bucket command examples to practice

niketn — Sun, 15 Apr 2018 21:50:08 GMT

@logloganathan, I would request you to at least try to research a bit before posting a question.

Usual google search for you should be Splunk <command you want to search> or even better Splunk Docs <command you want to search>. Before posting to Splunk Answers you can search Splunk Answer <command you want to search> (While you type in your question Splunk Answers will also suggest you previous answers on similar lines for you to refer).

Following is the link to bin command Splunk Documentation which mentions that bucket is just and alias for bin command. It also has some examples.

In case searching through Splunk Docs, Splunk Dev, Splunk Blogs, Splunk Answers, Splunk Education or other online resources does not cater to your queries/issues you can mention the specifics so that community members can assist you with the same. Also as suggested earlier, Slack Chat on Splunk Channels in Splunk User Groups seems more appropriate channel for faster resolutions to specific problems you are facing.

Re: bin and bucket command examples to practice

logloganathan — Mon, 16 Apr 2018 09:20:03 GMT

i raised a request but i have not get the approval for Slack chat.

Re: bin and bucket command examples to practice

niketn — Mon, 16 Apr 2018 14:25:05 GMT

@logloganathan, I see that you have down voted my comment. Down voting should only be reserved for suggestions/solutions that could be potentially harmful for a Splunk environment or goes completely against known best practices.

Simply commenting with more information about what didn't work and what you've tried (or whatever other info may be relevant) would suffice to help you troubleshoot further.

Refer to community guidelines (ironically again on Splunk Docs :)): https://docs.splunk.com/Documentation/Splunkbase/splunkbase/Answers/Splunkcommunityguidelines

I am curious to know as to how request to research on own before asking question is harmful for you/your environment. Please clarify!!!

Re: bin and bucket command examples to practice

woodcock — Fri, 20 Apr 2018 23:00:00 GMT

If you need to timechart by multiple fields, then you can do bin _time span=YourSpan | stats count BY field1 field2 ... fieldn _time as your base search and then in post-process searches, you can do timechart span=YourSpan sum(count) BY field1 and use field2 in the next panel, etc.

Re: bin and bucket command examples to practice

logloganathan — Mon, 23 Apr 2018 13:23:06 GMT

Thanks for your answer!!

Re: bin and bucket command examples to practice

mclane1 — Tue, 29 Sep 2020 22:04:57 GMT

Hello,
After testing your solution I want to give more information :
bginQuery | bin _time span=$your_span$ | stats count as nb by field1, field2, ... fieldn, _time | search fieldx=yourValue | TIMECHART span=$your_span$ sum(nb) BY fieldy
For the last timechart you need sum the result and not just count

Re: bin and bucket command examples to practice

woodcock — Tue, 20 Nov 2018 23:47:38 GMT

I updated my answer to be more specific. You are completely correct and my original vague phrasing should have been more clear (I was trying to provide a more general answer).

Re: bin and bucket command examples to practice

logloganathan — Tue, 27 Nov 2018 14:02:45 GMT

wow really helpful query