Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

BIN - incorrect buckets

kp_pl
Path Finder
‎08-01-2024 06:25 AM

In my case there is an index with field OP which has a duration TT . Of course there are a lot of records with different OPs and diffent TTs

| stats perec25(TT) as Q1, median(TT) as Q2MEDIAN, perc75(TT) as Q3, perc98(TT) as P98 by OP

Here is the way I count quartiles and 98percentile of my set. The result is four values between 2sek.(Q1 ) and 40sek.(P98) for every OP.
Last time @ITWhisperer mestioned about command BIN. I like it! I wondered about creating 10 bins instead ( kind of every10 percentile).
I did somethink like

| bin TIMETAKEN bins=10 |stats count(TIMETAKEN) by TIMETAKEN

and expected to see 10 bins but the result was :

TIMETAKEN count(TIMETAKEN)
0-10 6393
10-20 389
20-30 15
40-50 2


so no 10 bins but only 4 😞 What am I doing wrong ?

And how to create 10 bins for each OP ? Something like

| bin TIMETAKEN bins=10 |stats count(TIMETAKEN) by OP

 

???

 

 

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-01-2024 01:24 PM

Indeed the bin command behaves... interestingly.

A run-anywhere example

| makeresults count=999
| streamstats count
| eval count=count+1
| map maxsearches=10000 search="| makeresults count=10000
| eval r=random() % 10000
| bin bins=$count$ r 
| stats count by r|stats count as bins |eval count=$count$"

It shows that it splits into either 1, 10, 100 or 1000 buckets.

That's... strange.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-01-2024 07:56 AM

Hi @kp_pl ,

as you can run at https://docs.splunk.com/Documentation/SCS/current/SearchReference/BinCommandOverview 

The SPL2 bin command puts continuous numerical values into discrete sets, or bins, by adjusting the value of <field> so that all of the items in a particular set have the same value.

but the option to give the groups is span and not bin, bin gives the number of groups.

so please try something like this:

<your-search>
| bin span=10 TIMETAKEN 
| stats count by TIMETAKEN

Ciao.

Giuseppe

in other words, you could use

0 Karma
Reply

kp_pl
Path Finder
‎08-01-2024 02:27 PM

Does not matter SPAN or BIN equal 10  it creates 4 or 5 buckets 😞  I even gave bin=20  but it returned the same result. I need to agree with @PickleRick  behaviour of  bin is sort of interesting . 
But in fact documentation says :

bins Syntax: bins=<int> Description: Sets the maximum number of bins to discretize into.

So the Splunk decides how many bin it creates not me 😞


 
 
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-02-2024 04:30 AM

Yes, it seems Splunk has some more internal rules on how many buckets it creates so I think a doc feedback is called for.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-01-2024 11:22 AM

You checked the SPL2 bin command, not the SPL one.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Bin

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...