Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Use variable on bucketing option

bfernandez
Communicator
‎06-15-2012 03:21 AM

Is there any way to use a variable on the bucketing start option? It only works if you use an explicit numeric value.

| eval DemoTime = strptime(FechaIni,"%Y-%m-%d %H:%M:%S.%l") | bin DemoTime span=7d start=1339372800.000000 as weeks

Thanks in advance.

0 Karma
Reply

Lamar
Splunk Employee
Splunk Employee
‎06-15-2012 07:16 AM

It's expecting an integer there, not a string. Are you stringifying your variable by double-quoting the value?

0 Karma
Reply

bfernandez
Communicator
‎06-28-2012 02:05 AM

Hi Lamar,

You are right, this option require a numeric value.

That’s the reason to use strptime that convert our human readable time string to an epoch time

Example:

adate = 2012-06-26 00:00:00.000
Initialtime = 1340661600.000000 (numeric)

Additionaly, I tried to forze this Initialtime field to numeric format with | convert num(Initialtime) as InitialtimeNum but the query always return:

Error in 'bin' command: The value for option start (InitialTime) is invalid.

Note: Splunk indicates that Convert command is mostly deprecated.

Thanks,

0 Karma
Reply

mikaelbje
Motivator
‎09-08-2015 02:45 AM

Hi Borja!

Did you ever find an answer to this? I'm struggling with the same issue. Using the value of an eval field inside a command.

0 Karma
Reply

Lamar
Splunk Employee
Splunk Employee
‎06-18-2012 07:59 AM

That's not an integer though. There are integers in that string you're creating, it might look something like this:

2012-10-10 10:10:10.100

What you want to feed it is an integer. try using:

| convert ctime (ADate) as Initialtime ...

That will be the epoch conversion of that date-time, which will be an integer that the start keyword is expecting. And if it's already epoch, just pass it over to start.

0 Karma
Reply

bfernandez
Communicator
‎06-18-2012 12:52 AM

Hi Lamar,

In this case, I am using another date field converter by strptime where it is assumed that the output is an integer

| eval Initialtime = strptime(ADate,"%Y-%m-%d %H:%M:%S.%l") | bin DemoTime span=7d start=Initialtime as weeks

Thanks,

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...