Deployment Architecture
Highlighted

the bins option on bucket

Explorer

I'm trying to compare 5 min of events with the previous 5 min, and I want to use data that is a few minutes old. So on the search I use this qualifier:

<b>earliest=-15m@m latest=-5m@m</b>

ok, that gives me my 10 minutes of data. Now I want to break them into 2 groups. I would have thought that

<b>| bucket bins=2</b>

should do the trick, but it does not. Instead it breaks it into 3 groups, each group on a 5 minute boundary. So if for example my data spans 5:06 to 5:16, the three groups are

5:05-5:10
5:10-5:15
5:15-5:20

when I want

5:06-5:11
5:11-5:16

How do I do this?

Tags (3)
0 Karma
Highlighted

Re: the bins option on bucket

Splunk Employee
Splunk Employee

Does that happen when you specify the field too? e.g.

| bucket _time bins=2 

compared to

| bucket _time span=5m
0 Karma
Highlighted

Re: the bins option on bucket

Splunk Employee
Splunk Employee
index=* earliest=-15m@m latest=-5m@m | bucket _time bins=2 | stats count by _time

breaks the events into 2 time periods. Make sure you include the **time** argument to the bucket/bin command.

0 Karma
Highlighted

Re: the bins option on bucket

Explorer

1000 pardons. Please see my comment above. I have been using the _time argument.

0 Karma
Highlighted

Re: the bins option on bucket

Explorer

Sorry all, I mistyped my information. Just to be clear, yes, I included the _time field. Here is the actual cut-and-paste

earliest=-15m@m latest=-5m@m| bucket _time bins=2| stats count by _time

returns

28,974 events (6/1/15 7:28:00.000 PM to 6/1/15 7:38:00.000 PM)
_time                   count
2015-06-01 19:25:00 5618
2015-06-01 19:30:00 15031
2015-06-01 19:35:00 8325

I have also tried 'span=5m' instead of 'bins=2'. Made no difference.

0 Karma