Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

BIN - incorrect buckets

kp_pl
Path Finder
‎08-01-2024 06:25 AM

In my case there is an index with field OP which has a duration TT . Of course there are a lot of records with different OPs and diffent TTs

| stats perec25(TT) as Q1, median(TT) as Q2MEDIAN, perc75(TT) as Q3, perc98(TT) as P98 by OP

Here is the way I count quartiles and 98percentile of my set. The result is four values between 2sek.(Q1 ) and 40sek.(P98) for every OP.
Last time @ITWhisperer mestioned about command BIN. I like it! I wondered about creating 10 bins instead ( kind of every10 percentile).
I did somethink like

| bin TIMETAKEN bins=10 |stats count(TIMETAKEN) by TIMETAKEN

and expected to see 10 bins but the result was :

TIMETAKEN count(TIMETAKEN)
0-10 6393
10-20 389
20-30 15
40-50 2


so no 10 bins but only 4 😞 What am I doing wrong ?

And how to create 10 bins for each OP ? Something like

| bin TIMETAKEN bins=10 |stats count(TIMETAKEN) by OP

 

???

 

 

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-01-2024 01:24 PM

Indeed the bin command behaves... interestingly.

A run-anywhere example

| makeresults count=999
| streamstats count
| eval count=count+1
| map maxsearches=10000 search="| makeresults count=10000
| eval r=random() % 10000
| bin bins=$count$ r 
| stats count by r|stats count as bins |eval count=$count$"

It shows that it splits into either 1, 10, 100 or 1000 buckets.

That's... strange.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-01-2024 07:56 AM

Hi @kp_pl ,

as you can run at https://docs.splunk.com/Documentation/SCS/current/SearchReference/BinCommandOverview 

The SPL2 bin command puts continuous numerical values into discrete sets, or bins, by adjusting the value of <field> so that all of the items in a particular set have the same value.

but the option to give the groups is span and not bin, bin gives the number of groups.

so please try something like this:

<your-search>
| bin span=10 TIMETAKEN 
| stats count by TIMETAKEN

Ciao.

Giuseppe

in other words, you could use

0 Karma
Reply

kp_pl
Path Finder
‎08-01-2024 02:27 PM

Does not matter SPAN or BIN equal 10  it creates 4 or 5 buckets 😞  I even gave bin=20  but it returned the same result. I need to agree with @PickleRick  behaviour of  bin is sort of interesting . 
But in fact documentation says :

bins Syntax: bins=<int> Description: Sets the maximum number of bins to discretize into.

So the Splunk decides how many bin it creates not me 😞


 
 
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-02-2024 04:30 AM

Yes, it seems Splunk has some more internal rules on how many buckets it creates so I think a doc feedback is called for.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-01-2024 11:22 AM

You checked the SPL2 bin command, not the SPL one.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Bin

0 Karma
Reply
Get Updates on the Splunk Community!

Holistic Visibility and Effective Alerting Across IT and OT Assets

Instead of effective and unified solutions, they’re left with tool fatigue, disjointed alerts and siloed ...

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...
Top