Splunk Search

How to specify fixed size bucket/bin with stats?

Explorer

when I create a stats and try to specify bins by following:
bucket time_taken bins=10 | stats count(_time) as size_a by time_taken

I get different bin sizes when I change the time span from last 7 days to Year to Date.
I am looking for fixed bin sizes of 0-100,100-200,200-300 and so on, irrespective of the data points generated by time.

How can I achieve this?

Any help is appreciated.
Thanks

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Use span instead of bins option with bucket command, like this

...| bucket span=100 time_taken | stats count as size_a by time_taken | sort num(time_taken)

View solution in original post

SplunkTrust
SplunkTrust

Use span instead of bins option with bucket command, like this

...| bucket span=100 time_taken | stats count as size_a by time_taken | sort num(time_taken)

View solution in original post

Explorer

@somesoni2 thanks that helped. Though as i change the time the x-axis labels disappear. I dont know how to display permanently

0 Karma

SplunkTrust
SplunkTrust

The x-axis labels will be visible based on number of points being shown (works good if number of points are under 100 or 74 from what I recall). so check how many rows your stats is giving back, may be adjust your span accordingly.

@Daljeanis, I guess the bucketing works good if they are standard spans like 10, 5, 20, 100. I tested with this runanywhere sample and it seems to be consistent with "good" spans.

| gentimes start=-1000 | streamstats count as sno | where sno>3| bucket span=10 sno | stats count by sno | sort num(sno)
0 Karma

Explorer

@somesoni2 can we not limit the axis range 0-100 to the last data point 1000-1100. Just show end buckets and skip the rest of them to make it look sensible

0 Karma

SplunkTrust
SplunkTrust

You can specify how many records you want to keep by either specifying limit in your sort command OR using head command, like this (for sort without by clause):

current command including stats | sort 100 num(sno)

OR

current command including stats | sort num(sno) | head 100
0 Karma

Explorer

This would provide me with top 100 values. I am looking for all the values but custom x-axis label to atleast get some context of presented data. Like getting first and last bin on the x-axis label

0 Karma

SplunkTrust
SplunkTrust

AFAIK, no such option exists.

0 Karma

SplunkTrust
SplunkTrust

Does bucket sometimes start from odd numbers, like 53-152? I seem to recall having had to add a "zero" record before and delete it after in order to make the numbers be even. Might have been when the range went to negative numbers as well.

0 Karma