Bin bucket to start with event value

lakssiv · ‎06-19-2019

Hi All,

I am using bin command to bucket all the event count based on a span of 200. The command I used is

{my search query} | bin duration span=200 | stats count by duration

Here when I try to execute this, even though the duration starts with a value for eg: 310, I see the bins are shown as 200-400, 400-600 but I wanted the bin to display from my duration start value with a span of 200 like - 310-509, 510-709, 710-909 etc. Is it possible to achieve this?

skalliger · ‎06-21-2019

Did you try start=<num> though? It's an option to bin.

lakssiv · ‎06-21-2019

I tried the start= but that didn't work. I am going to try what adonio suggested, will update here.

lakssiv · ‎06-21-2019

Tried adonio comment but looks like its totally ignoring the start attribute and start the bucket from 0 like 0-200, 200-400, 400-600 etc.

adonio · ‎06-21-2019

try this:

| makeresults count=1
| eval data = "1,310,320,500,600,700,800,1009"
| makemv data delim="," 
| mvexpand data
| bin data start=310 span=200

maybe i am missing something but using start=<num> didnt work for me

lakssiv · ‎06-20-2019

Could someone please help with this?

VatsalJagani · ‎06-21-2019

I'm thought of this a long time. I've achieved similar thing but this one is really difficult to implement logic. I'm guessing if some-else have some idea about it to achieve.

lakssiv · ‎06-21-2019

Thanks for the comment. I would really appreciate if someone could point to some direction on how to achieve this.

adonio · ‎06-21-2019

@lakssiv not sure this will satisfy, what i got is very clumsy use of bin
but i am using functions that apply only on _time field to get achieve your requirements:
try this anywhere:

  | makeresults count=1
    | eval data = "310,320,500,600,700,800,1009"
    | makemv data delim="," 
    | mvexpand data
    | rename _time as reset_time_later
    | eval _time = data
    | bin _time aligntime=310 span=200 as bin_for_data
    | eval _time = reset_time_later

in a dashboard it will be easier to accomplish as you can set tokens form searches and pass them to the next search with good flexibility.
another option can be the map command
hope it helps a little

patng_nw · ‎10-17-2023

I think the bin command never really works with the start or end parameter as documented. 😟

For me, I need a simple behavior like this:

For a span of 10:

So I created a macro called bin2 like this:

macro body:

eval $data$=$data$-1
| bin span=$span$ $data$ as bucket
| eval $data$=$data$+1
| rex field=bucket "^(?<_bin_start>\d+)"
| rex field=bucket "\-(?<_bin_end>\d+)$"
| eval _bin_start=_bin_start+1
| eval bucket=_bin_start."-"._bin_end
| fields - _bin_start, _bin_end

marco arguments:

data,span

And here is an example query:

| makeresults count=1
| eval data = "1,5,9,10,11,19,20,25,29"
| makemv data delim="," 
| mvexpand data
| `bin2(data, 10)`
| table data, bucket

And here is the result:

data	bucket
1	1-10
5	1-10
9	1-10
10	1-10
11	11-20
19	11-20
20	11-20
25	21-30
29	21-30

Bin bucket to start with event value

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!