Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use variable on bucketing option

bfernandez
Communicator
‎06-15-2012 03:21 AM

Is there any way to use a variable on the bucketing start option? It only works if you use an explicit numeric value.

| eval DemoTime = strptime(FechaIni,"%Y-%m-%d %H:%M:%S.%l") | bin DemoTime span=7d start=1339372800.000000 as weeks

Thanks in advance.

0 Karma
Reply

Lamar
Splunk Employee
Splunk Employee
‎06-15-2012 07:16 AM

It's expecting an integer there, not a string. Are you stringifying your variable by double-quoting the value?

0 Karma
Reply

bfernandez
Communicator
‎06-28-2012 02:05 AM

Hi Lamar,

You are right, this option require a numeric value.

That’s the reason to use strptime that convert our human readable time string to an epoch time

Example:

adate = 2012-06-26 00:00:00.000
Initialtime = 1340661600.000000 (numeric)

Additionaly, I tried to forze this Initialtime field to numeric format with | convert num(Initialtime) as InitialtimeNum but the query always return:

Error in 'bin' command: The value for option start (InitialTime) is invalid.

Note: Splunk indicates that Convert command is mostly deprecated.

Thanks,

0 Karma
Reply

mikaelbje
Motivator
‎09-08-2015 02:45 AM

Hi Borja!

Did you ever find an answer to this? I'm struggling with the same issue. Using the value of an eval field inside a command.

0 Karma
Reply

Lamar
Splunk Employee
Splunk Employee
‎06-18-2012 07:59 AM

That's not an integer though. There are integers in that string you're creating, it might look something like this:

2012-10-10 10:10:10.100

What you want to feed it is an integer. try using:

| convert ctime (ADate) as Initialtime ...

That will be the epoch conversion of that date-time, which will be an integer that the start keyword is expecting. And if it's already epoch, just pass it over to start.

0 Karma
Reply

bfernandez
Communicator
‎06-18-2012 12:52 AM

Hi Lamar,

In this case, I am using another date field converter by strptime where it is assumed that the output is an integer

| eval Initialtime = strptime(ADate,"%Y-%m-%d %H:%M:%S.%l") | bin DemoTime span=7d start=Initialtime as weeks

Thanks,

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...