Deployment Architecture

bin and bucket command examples to practice

Motivator

Could anyone please give bin and bucket command examples to practice

Tags (2)
1 Solution

SplunkTrust
SplunkTrust

Most of the time I use bin is to bucket time into segments.

Any other time I use bin is to see how distributed data is. So it will follow the format below

| bin <FIELD> span=<SEGMENT_Size>

OR

| bin _time span=1h

View solution in original post

0 Karma

Esteemed Legend

If you need to timechart by multiple fields, then you can do bin _time span=YourSpan | stats count BY field1 field2 ... fieldn _time as your base search and then in post-process searches, you can do timechart span=YourSpan sum(count) BY field1 and use field2 in the next panel, etc.

Motivator

Thanks for your answer!!

0 Karma

Path Finder

Hello,
After testing your solution I want to give more information :
bginQuery | bin _time span=$your_span$ | stats count as nb by field1, field2, ... fieldn, _time | search fieldx=yourValue | TIMECHART span=$your_span$ sum(nb) BY fieldy
For the last timechart you need sum the result and not just count

Esteemed Legend

I updated my answer to be more specific. You are completely correct and my original vague phrasing should have been more clear (I was trying to provide a more general answer).

Motivator

wow really helpful query

0 Karma

SplunkTrust
SplunkTrust

@logloganathan, I would request you to at least try to research a bit before posting a question.

Usual google search for you should be Splunk <command you want to search> or even better Splunk Docs <command you want to search>. Before posting to Splunk Answers you can search Splunk Answer <command you want to search> (While you type in your question Splunk Answers will also suggest you previous answers on similar lines for you to refer).

Following is the link to bin command Splunk Documentation which mentions that bucket is just and alias for bin command. It also has some examples.

In case searching through Splunk Docs, Splunk Dev, Splunk Blogs, Splunk Answers, Splunk Education or other online resources does not cater to your queries/issues you can mention the specifics so that community members can assist you with the same. Also as suggested earlier, Slack Chat on Splunk Channels in Splunk User Groups seems more appropriate channel for faster resolutions to specific problems you are facing.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Motivator

i raised a request but i have not get the approval for Slack chat.

0 Karma

SplunkTrust
SplunkTrust

@logloganathan, I see that you have down voted my comment. Down voting should only be reserved for suggestions/solutions that could be potentially harmful for a Splunk environment or goes completely against known best practices.

Simply commenting with more information about what didn't work and what you've tried (or whatever other info may be relevant) would suffice to help you troubleshoot further.

Refer to community guidelines (ironically again on Splunk Docs :)): https://docs.splunk.com/Documentation/Splunkbase/splunkbase/Answers/Splunkcommunityguidelines

I am curious to know as to how request to research on own before asking question is harmful for you/your environment. Please clarify!!!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

SplunkTrust
SplunkTrust

Most of the time I use bin is to bucket time into segments.

Any other time I use bin is to see how distributed data is. So it will follow the format below

| bin <FIELD> span=<SEGMENT_Size>

OR

| bin _time span=1h

View solution in original post

0 Karma