How do I assign whole numbers to the lower bucket through the bucket function?



I am using the bucket function to split my data into buckets of 2:

bucket field_name span=2

The buckets that it creates are 0-2, 2-4, 4-6, 6-8, and so on where the upper value of a given bucket is the same as the lower value of the next bucket. The default logic for categorizing the value is >= lower value and < upper value. It also means that the value "2" will be put into the "2-4" bucket rather than the "0-2" bucket. What I would like to know is: is there a way to specify that whole numbers in my data that correspond to a bucket limit be sorted into the lower bucket? In effect making the logic > lower value and <= upper value.

Thank you!


Tags (1)
0 Karma

Splunk Employee
Splunk Employee

I prefer a different approach:

| gentimes start=-1 | eval foo=mvrange(1,50) | table foo | mvexpand foo |  eval actual_value=(random()%10)+(random()%10)/100 | table actual_value | sort - actual_value| eval bucketed_value=(actual_value-(actual_value%1))-1 | bucket bucketed_value
0 Karma

Esteemed Legend

The most straight-forward way is to lie to the bucket command by adding this right before you call it:

 ... | eval field_name=if((field_name%2=0), field_name-.1, field_name) 
0 Karma


I don't think there is any direct/native method. You can try this workaround. (Run anywhere sample, first line is to generate sample data, replace it with your search)

| gentimes start=-1 | eval file_name=mvrange(1,50) | table file_name | mvexpand file_name | eval orig_file_name=file_name 
| eval file_name=file_name-1 | bucket span=3 file_name