It's always been in the start
_time of the
bucket for me, but that's only splunk in the versions above 6's.
Notice, you are asking for different behavior for days than you are for minutes.
If you applied the same logic to days, anything you do today will have tomorrow's date!
Same for hours. Standard
bin will give 11:00 all times between 11:00:00 and up to but not including 12:00:00.
If you really want to use the
_time, then you have two tweaks to do:
1) subtract an infinitesimal amount (like a microsecond) from the
_time before the
bin, if you want to be sure that events exactly at 10:45:00 will end up in the 10:45:00 bucket.
2) add the
bin size to the in after binning.
| eval _time = _time -.000001
| bin _time span=5m
| eval _time = _time + 300
Usually, if it ever matters fro presentation and adding clarity, I just add another field for the
end_time of the