Splunk Search

bin with specific buckets

dtakacssplunk
Explorer

Hello I want to use bin to categorize my runtimes into specific buckets. lets' say I want to show runtime and bucketize it every hour into buckets 0-20, 20-40, 40-60, 60 - maxtime. How do I do this?

Currently my query is like this:
index=* ..... | bucket _time span=1h | bin span=20 end=200 runTime | eval epoachtime=_time | stats count by epoachtime, runTime | makecontinuous runTime | fillnull count

and I get the following result :

epoachtime runTime count
1532620800 0-20 2263
1532624400 0-20 3097
1532628000 0-20 2249
1532617200 0-20 45
1532631600 0-20 1615
1532631600 20-40 3
1532631600 40-60 1
60-80 0
80-100 0
100-120 0
120-140 0
140-160 0
160-180 0
180-200 0
200-220 0
1532620800 220-240 1
1532631600 240-260 2
1532620800 260-280 1
1532631600 260-280 1

Tags (1)
0 Karma

nplamondon
SplunkTrust
SplunkTrust

If I understand your question correctly, you want to see events classified by groups of runtimes.

You might try the eval case function like
... | eval timeBin=case(runTime < 20, "0-20", runTime < 40, "0-40"...

This would give you a new field timeBin that would have those string values you could use to group by, etc.

http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/ConditionalFunctions

0 Karma

dtakacssplunk
Explorer

yes I was thinking of the solution you proposed, but I wish the bin function min / max arguments somehow could be used to achieve something like it...

0 Karma

dtakacssplunk
Explorer

I figure I can do things like this:

index=* ..... | **eval runtimewithmax=case(runTime > 60, 61, true(), runTime)* | bucket _time span=1h | bin span=20 runtimewithmax | eval epoachtime=_time | stats count as eventcount by epoachtime, context, sourcetype, gdpr, index, path, runtimewithmax

but I was hoping there is a better way.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...