Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How does the bucket command create bins?

chris
Motivator
‎02-28-2014 01:33 PM

Hi

I thought that the bucket command would split events into two bins that cover half the search span if i use 2 bins on _time:

index=_internal | bucket _time bins=2 | stats count by _time

Depending on the selected time range bucket will only create 1 bin. This search yields the results I expect:

index=_internal | addinfo | eval half_span=(info_max_time-info_min_time)/2 | eval cur=if(_time>info_max_time-half_span,1,0) | stats count by cur | sort -cur

Can someone explain how bucket is used properly?

Thanks
Chris

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-28-2014 01:46 PM

The 'bins' option in bucket specifies maximum no of bins that can be created, doesn't imply that search will create two bins only. bucket command is not suitable for your requirements as your time range can be dynamic.

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-28-2014 01:46 PM

The 'bins' option in bucket specifies maximum no of bins that can be created, doesn't imply that search will create two bins only. bucket command is not suitable for your requirements as your time range can be dynamic.

Reply
Solved! Jump to solution

chris
Motivator
‎02-28-2014 02:02 PM

Thank you, reading the documentation would have helped - well maybe this is useful for someone else.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

The same scenario plays out across financial institutions daily. A payment system fails at 11:30 AM on a busy ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Hello Splunkers, Want to attend .conf25 in Boston this year but not sure how to convince your manager? We've ...

Community Spotlight: A Splunk Expert's Journey

In the world of data analytics, some journeys leave a lasting impact not only on the individual but on the ...
Top