topic Re: BIN - incorrect buckets in Splunk Search

BIN - incorrect buckets

kp_pl — Thu, 01 Aug 2024 14:25:20 GMT

In my case there is an index with field OP which has a duration TT . Of course there are a lot of records with different OPs and diffent TTs

| stats perec25(TT) as Q1, median(TT) as Q2MEDIAN, perc75(TT) as Q3, perc98(TT) as P98 by OP

Here is the way I count quartiles and 98percentile of my set. The result is four values between 2sek.(Q1 ) and 40sek.(P98) for every OP.
Last time @ITWhisperer mestioned about command BIN. I like it! I wondered about creating 10 bins instead ( kind of every10 percentile).
I did somethink like

| bin TIMETAKEN bins=10 |stats count(TIMETAKEN) by TIMETAKEN

and expected to see 10 bins but the result was :

TIMETAKEN count(TIMETAKEN)
0-10 6393
10-20 389
20-30 15
40-50 2

so no 10 bins but only 4 😞 What am I doing wrong ?

And how to create 10 bins for each OP ? Something like

| bin TIMETAKEN bins=10 |stats count(TIMETAKEN) by OP

???

Re: BIN - incorrect buckets

gcusello — Thu, 01 Aug 2024 14:56:48 GMT

Hi @kp_pl ,

as you can run at https://docs.splunk.com/Documentation/SCS/current/SearchReference/BinCommandOverview

The SPL2 bin command puts continuous numerical values into discrete sets, or bins, by adjusting the value of <field> so that all of the items in a particular set have the same value.

but the option to give the groups is span and not bin, bin gives the number of groups.

so please try something like this:

<your-search> | bin span=10 TIMETAKEN | stats count by TIMETAKEN

Ciao.

Giuseppe

in other words, you could use

Re: BIN - incorrect buckets

PickleRick — Thu, 01 Aug 2024 18:22:06 GMT

You checked the SPL2 bin command, not the SPL one.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Bin

Re: BIN - incorrect buckets

PickleRick — Thu, 01 Aug 2024 20:24:40 GMT

Indeed the bin command behaves... interestingly.

A run-anywhere example

| makeresults count=999
| streamstats count
| eval count=count+1
| map maxsearches=10000 search="| makeresults count=10000
| eval r=random() % 10000
| bin bins=$count$ r 
| stats count by r|stats count as bins |eval count=$count$"

It shows that it splits into either 1, 10, 100 or 1000 buckets.

That's... strange.

Re: BIN - incorrect buckets

kp_pl — Thu, 01 Aug 2024 21:27:53 GMT

Does not matter SPAN or BIN equal 10 it creates 4 or 5 buckets 😞 I even gave bin=20 but it returned the same result. I need to agree with @PickleRick behaviour of bin is sort of interesting .
But in fact documentation says :

bins Syntax: bins=<int> Description: Sets the maximum number of bins to discretize into.

So the Splunk decides how many bin it creates not me 😞

Re: BIN - incorrect buckets

PickleRick — Fri, 02 Aug 2024 11:30:54 GMT

Yes, it seems Splunk has some more internal rules on how many buckets it creates so I think a doc feedback is called for.