Solved: Re: How does the bucket command create bins?

chris · ‎02-28-2014

Hi

I thought that the bucket command would split events into two bins that cover half the search span if i use 2 bins on _time:

index=_internal | bucket _time bins=2 | stats count by _time

Depending on the selected time range bucket will only create 1 bin. This search yields the results I expect:

index=_internal | addinfo | eval half_span=(info_max_time-info_min_time)/2 | eval cur=if(_time>info_max_time-half_span,1,0) | stats count by cur | sort -cur

Can someone explain how bucket is used properly?

Thanks
Chris

somesoni2 · ‎02-28-2014

The 'bins' option in bucket specifies maximum no of bins that can be created, doesn't imply that search will create two bins only. bucket command is not suitable for your requirements as your time range can be dynamic.

View solution in original post

somesoni2 · ‎02-28-2014

The 'bins' option in bucket specifies maximum no of bins that can be created, doesn't imply that search will create two bins only. bucket command is not suitable for your requirements as your time range can be dynamic.

chris · ‎02-28-2014

Thank you, reading the documentation would have helped - well maybe this is useful for someone else.

How does the bucket command create bins?

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...