Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

BIN - incorrect buckets

kp_pl
Path Finder
‎08-01-2024 06:25 AM

In my case there is an index with field OP which has a duration TT . Of course there are a lot of records with different OPs and diffent TTs

| stats perec25(TT) as Q1, median(TT) as Q2MEDIAN, perc75(TT) as Q3, perc98(TT) as P98 by OP

Here is the way I count quartiles and 98percentile of my set. The result is four values between 2sek.(Q1 ) and 40sek.(P98) for every OP.
Last time @ITWhisperer mestioned about command BIN. I like it! I wondered about creating 10 bins instead ( kind of every10 percentile).
I did somethink like

| bin TIMETAKEN bins=10 |stats count(TIMETAKEN) by TIMETAKEN

and expected to see 10 bins but the result was :

TIMETAKEN count(TIMETAKEN)
0-10 6393
10-20 389
20-30 15
40-50 2


so no 10 bins but only 4 😞 What am I doing wrong ?

And how to create 10 bins for each OP ? Something like

| bin TIMETAKEN bins=10 |stats count(TIMETAKEN) by OP

 

???

 

 

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-01-2024 01:24 PM

Indeed the bin command behaves... interestingly.

A run-anywhere example

| makeresults count=999
| streamstats count
| eval count=count+1
| map maxsearches=10000 search="| makeresults count=10000
| eval r=random() % 10000
| bin bins=$count$ r 
| stats count by r|stats count as bins |eval count=$count$"

It shows that it splits into either 1, 10, 100 or 1000 buckets.

That's... strange.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-01-2024 07:56 AM

Hi @kp_pl ,

as you can run at https://docs.splunk.com/Documentation/SCS/current/SearchReference/BinCommandOverview 

The SPL2 bin command puts continuous numerical values into discrete sets, or bins, by adjusting the value of <field> so that all of the items in a particular set have the same value.

but the option to give the groups is span and not bin, bin gives the number of groups.

so please try something like this:

<your-search>
| bin span=10 TIMETAKEN 
| stats count by TIMETAKEN

Ciao.

Giuseppe

in other words, you could use

0 Karma
Reply

kp_pl
Path Finder
‎08-01-2024 02:27 PM

Does not matter SPAN or BIN equal 10  it creates 4 or 5 buckets 😞  I even gave bin=20  but it returned the same result. I need to agree with @PickleRick  behaviour of  bin is sort of interesting . 
But in fact documentation says :

bins Syntax: bins=<int> Description: Sets the maximum number of bins to discretize into.

So the Splunk decides how many bin it creates not me 😞


 
 
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-02-2024 04:30 AM

Yes, it seems Splunk has some more internal rules on how many buckets it creates so I think a doc feedback is called for.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-01-2024 11:22 AM

You checked the SPL2 bin command, not the SPL one.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Bin

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...