I'm trying to compare 5 min of events with the previous 5 min, and I want to use data that is a few minutes old. So on the search I use this qualifier:
ok, that gives me my 10 minutes of data. Now I want to break them into 2 groups. I would have thought that
<b>| bucket bins=2</b>
should do the trick, but it does not. Instead it breaks it into 3 groups, each group on a 5 minute boundary. So if for example my data spans 5:06 to 5:16, the three groups are
when I want
How do I do this?
Sorry all, I mistyped my information. Just to be clear, yes, I included the _time field. Here is the actual cut-and-paste
earliest=-15m@m latest=-5m@m| bucket _time bins=2| stats count by _time
28,974 events (6/1/15 7:28:00.000 PM to 6/1/15 7:38:00.000 PM)
2015-06-01 19:25:00 5618
2015-06-01 19:30:00 15031
2015-06-01 19:35:00 8325
I have also tried 'span=5m' instead of 'bins=2'. Made no difference.
index=* earliest=-15m@m latest=-5m@m | bucket _time bins=2 | stats count by _time
breaks the events into 2 _time periods. Make sure you include the _time argument to the bucket/bin command.
1000 pardons. Please see my comment above. I have been using the _time argument.
Does that happen when you specify the field too? e.g.
| bucket _time bins=2
| bucket _time span=5m