Splunk Search

How to calculate through bin command ?

Jouman
Path Finder

Hi all,

I would like to use bin command to make the demo data sets into 10 bins according to Exe_time and list Substage_time along with it.
Do anyone have ideas about how to use bin command correctly?

I use these commands, but the output isn't as my expectation.
|bin Exe_time as time_bin bins=10
|stats values(Substage_time) by time_bin


Demo data sets are listed below: 

Exe_timeSubstage_timeCount
108
11
2
219
12
2
3281
439
19
4
549
12
3
658
11
6
669
19
7
678
11
6
709
12
6
718
11
5
8074
81 9
12
11
9578
108113
2208
11
5


Thank you.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

10 is the maximum, not the minimum - 3 does not exceed the 10 so is a valid way of dividing up the values. If you play around with the mock data, you may be able to determine how it decides on the range size for the bins, but I suspect it might go something like this: does range 1 give a maximum of 10 bins? No. OK how about 10? Yes, with range of 10, all the values will fit into no more than 10 bins. Perhaps with more values the next size up would be 100 or perhaps 20. Whatever the range size, you will get no more than 10 bins.

The other way of using bin is to use the span option - for this you could use span=10 which may give you more bins, but the range would be 10.

View solution in original post

0 Karma

Jouman
Path Finder

Hi all,

I use the demo data and the bin commands as below.
I expect to get 5 bins seperately,
1st bin : include 1-4
2nd bin : include 5-8
3rd bin : include 9-12
4th bin : include 13-16
5th bin : include 17-20

But the output bin is only 2, they are 0-10 and 10-20.

--------------------------------------------

| makeresults
| eval exe_time="1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20"
| makemv exe_time delim=","
| mvexpand exe_time
| bin exe_time as time_bin bins=10

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

bins specifies the maximum number of bins. The bin command will not do what you want the way you want it. You could try evaluating a new field with the calculated bin number that you want from the exe_time field.

0 Karma

Jouman
Path Finder

Hi all,

Do you know what is the logic of bin command?

I want to explain why the number of bin is 2 instead of 10.

Thank you.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

10 is the maximum, not the minimum - 3 does not exceed the 10 so is a valid way of dividing up the values. If you play around with the mock data, you may be able to determine how it decides on the range size for the bins, but I suspect it might go something like this: does range 1 give a maximum of 10 bins? No. OK how about 10? Yes, with range of 10, all the values will fit into no more than 10 bins. Perhaps with more values the next size up would be 100 or perhaps 20. Whatever the range size, you will get no more than 10 bins.

The other way of using bin is to use the span option - for this you could use span=10 which may give you more bins, but the range would be 10.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The format of the bin command you have used is correct.

How is the result not matching your expectation?

What is it you are trying to do?

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...