Splunk Search

How to remove unfinished buckets from "bin" command

rohitmaheshwari
Explorer

I am using a bin command on _time field to have 10 minute sections of data. Like below:

|bin _time span=10m minspan=10m | stats sum(myField) as myField by _time
|streamstats avg(myfield) as avg by another field

I am trying to compare the most current value in the completed 10 minute block with the average of 10 minute blocks of data.
My understanding is that span should create 10 minute buckets on the data and minspan should filter out buckets that are not 10 minute yet. So if right now its 10.25 then the bucket that is for 10.20 should not be created. But that is not the case, I am getting the 10.20 bucket that has partial values data comparing to the average.

Any workaround or a better options or a much efficient way of doing this will be very helpful.

Thanks in advance!!

0 Karma

Richfez
SplunkTrust
SplunkTrust

OK I thought there was a way to tell what each time slot was, and by that you could then dump any that weren't the right length.

But I couldn't find that.

So I decided to cut and run, let's use transaction which has an option to do exactly what you want.

...| timechart partial=false sum(myField) as myField|streamstats avg(myfield) as avg by another field

That partial=false should get rid of the trailing, partially filled timeslot.
(and obviously, you don't need bin any more since timechart does binning by itself.

Happy Splunking!
-Rich

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...