Solved: Stats Auto Bin Time

MrJohn230 · ‎11-20-2023

I have created a dashboard in dashboard studio. I have a table visualization, see my code below.

So, the "Time" column auto sets my | bin to one minute. When I update my timepicker to say the last 7 days it still shows the time |bin as one minute.

How can I dynamically change the |bin to best fit my timepicker selection?

| search cat IN ($t_endpoint$) AND Car IN ($t_car$)
| eval Time=strftime(_time,"%Y-%m-%d-%I:%M %p")
| stats limit=15 sum(Numbercat) as Numbercat, avg(catTime) as AvgcatSecs by Time, Car, cat

MrJohn230 · ‎11-21-2023

This is what worked for me. I added a TimeBucket dropdown box and created a token.

| search cat IN ($t_endpoint$) AND Car IN ($t_car$)
|bin _time span=$t_bin$
| stats limit=15 sum(Numbercat) as Numbercat, avg(catTime) as AvgcatSecs by _time, Car, cat
| eval Time=strftime(_time,"%Y-%m-%d-%I:%M %p")
|fields - _time
|fields Time, Numbercat

View solution in original post

MrJohn230 · ‎11-21-2023

This is what worked for me. I added a TimeBucket dropdown box and created a token.

| search cat IN ($t_endpoint$) AND Car IN ($t_car$)
|bin _time span=$t_bin$
| stats limit=15 sum(Numbercat) as Numbercat, avg(catTime) as AvgcatSecs by _time, Car, cat
| eval Time=strftime(_time,"%Y-%m-%d-%I:%M %p")
|fields - _time
|fields Time, Numbercat

PickleRick · ‎11-20-2023

Converting the time to a string is a peculiar way to do binning. I'd rather simply use the bin command with a proper set of parameters for binning.

If you want to display your time in a human-readable form you can still do fieldformat.

Stats Auto Bin Time

chart

Dashboard Studio

table

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?