Deployment Architecture

bin and bucket command examples to practice

logloganathan
Motivator

Could anyone please give bin and bucket command examples to practice

Tags (2)
1 Solution

skoelpin
SplunkTrust
SplunkTrust

Most of the time I use bin is to bucket time into segments.

Any other time I use bin is to see how distributed data is. So it will follow the format below

| bin <FIELD> span=<SEGMENT_Size>

OR

| bin _time span=1h

View solution in original post

0 Karma

woodcock
Esteemed Legend

If you need to timechart by multiple fields, then you can do bin _time span=YourSpan | stats count BY field1 field2 ... fieldn _time as your base search and then in post-process searches, you can do timechart span=YourSpan sum(count) BY field1 and use field2 in the next panel, etc.

logloganathan
Motivator

Thanks for your answer!!

0 Karma

mclane1
Path Finder

Hello,
After testing your solution I want to give more information :
bginQuery | bin _time span=$your_span$ | stats count as nb by field1, field2, ... fieldn, _time | search fieldx=yourValue | TIMECHART span=$your_span$ sum(nb) BY fieldy
For the last timechart you need sum the result and not just count

woodcock
Esteemed Legend

I updated my answer to be more specific. You are completely correct and my original vague phrasing should have been more clear (I was trying to provide a more general answer).

logloganathan
Motivator

wow really helpful query

0 Karma

niketn
Legend

@logloganathan, I would request you to at least try to research a bit before posting a question.

Usual google search for you should be Splunk <command you want to search> or even better Splunk Docs <command you want to search>. Before posting to Splunk Answers you can search Splunk Answer <command you want to search> (While you type in your question Splunk Answers will also suggest you previous answers on similar lines for you to refer).

Following is the link to bin command Splunk Documentation which mentions that bucket is just and alias for bin command. It also has some examples.

In case searching through Splunk Docs, Splunk Dev, Splunk Blogs, Splunk Answers, Splunk Education or other online resources does not cater to your queries/issues you can mention the specifics so that community members can assist you with the same. Also as suggested earlier, Slack Chat on Splunk Channels in Splunk User Groups seems more appropriate channel for faster resolutions to specific problems you are facing.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

logloganathan
Motivator

i raised a request but i have not get the approval for Slack chat.

0 Karma

niketn
Legend

@logloganathan, I see that you have down voted my comment. Down voting should only be reserved for suggestions/solutions that could be potentially harmful for a Splunk environment or goes completely against known best practices.

Simply commenting with more information about what didn't work and what you've tried (or whatever other info may be relevant) would suffice to help you troubleshoot further.

Refer to community guidelines (ironically again on Splunk Docs :)): https://docs.splunk.com/Documentation/Splunkbase/splunkbase/Answers/Splunkcommunityguidelines

I am curious to know as to how request to research on own before asking question is harmful for you/your environment. Please clarify!!!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

skoelpin
SplunkTrust
SplunkTrust

Most of the time I use bin is to bucket time into segments.

Any other time I use bin is to see how distributed data is. So it will follow the format below

| bin <FIELD> span=<SEGMENT_Size>

OR

| bin _time span=1h
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...