Solved: Re: How does the bucket command create bins?

chris · ‎02-28-2014

Hi

I thought that the bucket command would split events into two bins that cover half the search span if i use 2 bins on _time:

index=_internal | bucket _time bins=2 | stats count by _time

Depending on the selected time range bucket will only create 1 bin. This search yields the results I expect:

index=_internal | addinfo | eval half_span=(info_max_time-info_min_time)/2 | eval cur=if(_time>info_max_time-half_span,1,0) | stats count by cur | sort -cur

Can someone explain how bucket is used properly?

Thanks
Chris

somesoni2 · ‎02-28-2014

The 'bins' option in bucket specifies maximum no of bins that can be created, doesn't imply that search will create two bins only. bucket command is not suitable for your requirements as your time range can be dynamic.

View solution in original post

somesoni2 · ‎02-28-2014

The 'bins' option in bucket specifies maximum no of bins that can be created, doesn't imply that search will create two bins only. bucket command is not suitable for your requirements as your time range can be dynamic.

chris · ‎02-28-2014

Thank you, reading the documentation would have helped - well maybe this is useful for someone else.

How does the bucket command create bins?

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience