https://community.splunk.com/t5/Splunk-Search/Use-variable-on-bucketing-option/m-p/76366#M19303 <P>Hi Borja!</P> <P>Did you ever find an answer to this? I'm struggling with the same issue. Using the value of an eval field inside a command.</P> Tue, 08 Sep 2015 09:45:10 GMT mikaelbje 2015-09-08T09:45:10Z https://community.splunk.com/t5/Splunk-Search/Use-variable-on-bucketing-option/m-p/76361#M19298 <P>Is there any way to use a variable on the bucketing start option? It only works if you use an explicit numeric value.</P> <P>| eval DemoTime = strptime(FechaIni,"%Y-%m-%d %H:%M:%S.%l") | bin DemoTime span=7d start=<STRONG>1339372800.000000</STRONG> as weeks</P> <P>Thanks in advance.</P> Fri, 15 Jun 2012 10:21:05 GMT https://community.splunk.com/t5/Splunk-Search/Use-variable-on-bucketing-option/m-p/76361#M19298 bfernandez 2012-06-15T10:21:05Z https://community.splunk.com/t5/Splunk-Search/Use-variable-on-bucketing-option/m-p/76362#M19299 <P>It's expecting an integer there, not a string. Are you stringifying your variable by double-quoting the value?</P> Fri, 15 Jun 2012 14:16:15 GMT https://community.splunk.com/t5/Splunk-Search/Use-variable-on-bucketing-option/m-p/76362#M19299 Lamar 2012-06-15T14:16:15Z https://community.splunk.com/t5/Splunk-Search/Use-variable-on-bucketing-option/m-p/76363#M19300 <P>Hi Lamar,</P> <P>In this case, I am using another date field converter by strptime where it is assumed that the output is an integer</P> <P>| eval Initialtime = strptime(ADate,"%Y-%m-%d %H:%M:%S.%l") | bin DemoTime span=7d start=Initialtime as weeks</P> <P>Thanks,</P> Mon, 18 Jun 2012 07:52:30 GMT https://community.splunk.com/t5/Splunk-Search/Use-variable-on-bucketing-option/m-p/76363#M19300 bfernandez 2012-06-18T07:52:30Z https://community.splunk.com/t5/Splunk-Search/Use-variable-on-bucketing-option/m-p/76364#M19301 <P>That's not an integer though. There are integers in that string you're creating, it might look something like this:</P> <P>2012-10-10 10:10:10.100</P> <P>What you want to feed it is an integer. try using:</P> <P>| convert ctime (ADate) as Initialtime ...</P> <P>That will be the epoch conversion of that date-time, which will be an integer that the start keyword is expecting. And if it's already epoch, just pass it over to start.</P> Mon, 18 Jun 2012 14:59:18 GMT https://community.splunk.com/t5/Splunk-Search/Use-variable-on-bucketing-option/m-p/76364#M19301 Lamar 2012-06-18T14:59:18Z https://community.splunk.com/t5/Splunk-Search/Use-variable-on-bucketing-option/m-p/76365#M19302 <P>Hi Lamar,</P> <P>You are right, this option require a numeric value.</P> <P>That’s the reason to use strptime that convert our human readable time string to an epoch time</P> <P>Example: </P> <P>adate = 2012-06-26 00:00:00.000<BR /> Initialtime = 1340661600.000000 (numeric)</P> <P>Additionaly, I tried to forze this Initialtime field to numeric format with | convert num(Initialtime) as InitialtimeNum but the query always return:</P> <P>Error in 'bin' command: The value for option start (InitialTime) is invalid.</P> <P>Note: Splunk indicates that Convert command is mostly deprecated.</P> <P>Thanks,</P> Thu, 28 Jun 2012 09:05:19 GMT https://community.splunk.com/t5/Splunk-Search/Use-variable-on-bucketing-option/m-p/76365#M19302 bfernandez 2012-06-28T09:05:19Z https://community.splunk.com/t5/Splunk-Search/Use-variable-on-bucketing-option/m-p/76366#M19303 <P>Hi Borja!</P> <P>Did you ever find an answer to this? I'm struggling with the same issue. Using the value of an eval field inside a command.</P> Tue, 08 Sep 2015 09:45:10 GMT https://community.splunk.com/t5/Splunk-Search/Use-variable-on-bucketing-option/m-p/76366#M19303 mikaelbje 2015-09-08T09:45:10Z