Splunk Search

How to specify fixed size bucket/bin with stats?

howardroark
Explorer

when I create a stats and try to specify bins by following:
bucket time_taken bins=10 | stats count(_time) as size_a by time_taken

I get different bin sizes when I change the time span from last 7 days to Year to Date.
I am looking for fixed bin sizes of 0-100,100-200,200-300 and so on, irrespective of the data points generated by time.

How can I achieve this?

Any help is appreciated.
Thanks

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Use span instead of bins option with bucket command, like this

...| bucket span=100 time_taken | stats count as size_a by time_taken | sort num(time_taken)

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Use span instead of bins option with bucket command, like this

...| bucket span=100 time_taken | stats count as size_a by time_taken | sort num(time_taken)

howardroark
Explorer

@somesoni2 thanks that helped. Though as i change the time the x-axis labels disappear. I dont know how to display permanently

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The x-axis labels will be visible based on number of points being shown (works good if number of points are under 100 or 74 from what I recall). so check how many rows your stats is giving back, may be adjust your span accordingly.

@Daljeanis, I guess the bucketing works good if they are standard spans like 10, 5, 20, 100. I tested with this runanywhere sample and it seems to be consistent with "good" spans.

| gentimes start=-1000 | streamstats count as sno | where sno>3| bucket span=10 sno | stats count by sno | sort num(sno)
0 Karma

howardroark
Explorer

@somesoni2 can we not limit the axis range 0-100 to the last data point 1000-1100. Just show end buckets and skip the rest of them to make it look sensible

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can specify how many records you want to keep by either specifying limit in your sort command OR using head command, like this (for sort without by clause):

current command including stats | sort 100 num(sno)

OR

current command including stats | sort num(sno) | head 100
0 Karma

howardroark
Explorer

This would provide me with top 100 values. I am looking for all the values but custom x-axis label to atleast get some context of presented data. Like getting first and last bin on the x-axis label

0 Karma

somesoni2
SplunkTrust
SplunkTrust

AFAIK, no such option exists.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Does bucket sometimes start from odd numbers, like 53-152? I seem to recall having had to add a "zero" record before and delete it after in order to make the numbers be even. Might have been when the range went to negative numbers as well.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...