How does this know to look at the timestamp I'm examining? I should also mention this is not a Splunk timestamp it is an attribute of the table that I have pulled into Splunk from a Db

You can specify a different timestamp:

| bin span=5min <timestamp field>

You may need to look into how that field needs to be formatted to work with the bin command.

Ok, thank you for your help. I'll test it the next time I have an anomaly.

1) The span=5m assumes your data is formatted as epoch-time ... as a number (integer or float) where +1 = +1 second.

2) bin truncates the timestamp to the preceding 5m interval.

3) If your timestamp is occasionally off by 1 minute, I'd recommend doing a histogram on each source with a span to see where the breaks are. For example, If source 1 item timestamps are at 4:20-7:45 and 9:15-2:27 minutes, then I'd recommend adding 50 seconds before the bin command, so that the former bin to 5:00 and the latter to 0:00.

(your search for one source ) | bin mytime as mytime600 span=10m | bin mytime as mytime10 span=10s | eval mytime0=mytime10-mytime600 | chart count by mytime0

Either way, you're going to have to play around a bit to make sure you are cutting the events on each side at the right spot so that they match up.

Very helpful explanation, thank you. I think this should work. I'll update the post when I have found my solution.