How do I assign whole numbers to the lower bucket ...

andrewtrobec · ‎02-02-2017

Hello!

I am using the bucket function to split my data into buckets of 2:

bucket field_name span=2

The buckets that it creates are 0-2, 2-4, 4-6, 6-8, and so on where the upper value of a given bucket is the same as the lower value of the next bucket. The default logic for categorizing the value is >= lower value and < upper value. It also means that the value "2" will be put into the "2-4" bucket rather than the "0-2" bucket. What I would like to know is: is there a way to specify that whole numbers in my data that correspond to a bucket limit be sorted into the lower bucket? In effect making the logic > lower value and <= upper value.

Thank you!

Andrew

bshuler_splunk · ‎03-01-2017

I prefer a different approach:

| gentimes start=-1 | eval foo=mvrange(1,50) | table foo | mvexpand foo |  eval actual_value=(random()%10)+(random()%10)/100 | table actual_value | sort - actual_value| eval bucketed_value=(actual_value-(actual_value%1))-1 | bucket bucketed_value

woodcock · ‎03-01-2017

The most straight-forward way is to lie to the bucket command by adding this right before you call it:

 ... | eval field_name=if((field_name%2=0), field_name-.1, field_name)

somesoni2 · ‎02-03-2017

I don't think there is any direct/native method. You can try this workaround. (Run anywhere sample, first line is to generate sample data, replace it with your search)

| gentimes start=-1 | eval file_name=mvrange(1,50) | table file_name | mvexpand file_name | eval orig_file_name=file_name 
| eval file_name=file_name-1 | bucket span=3 file_name

How do I assign whole numbers to the lower bucket through the bucket function?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk