Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the different between "bin span=5m" vs "timechart span=5m"?

indeed_2000
Motivator
‎07-04-2022 12:19 AM

Hi
What is the different between "bin span=5m" vs "timechart span=5m"?
I mean it is better to use bin span then use timechart without timechart?
which one efficient? what is the different at all?

Thanks,

Labels (5)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-04-2022 12:32 AM

timechart will fill in the gaps in the timeline - for example, if your time range (earliest to latest) was 09:00 to 09:15, - timechart would give you events for 09:00, 09:05 and 09:10, regardless of whether there was an event, whereas bin would only give you (aggregated) events for these times if there was an event in the pipeline for the time slots.

0 Karma
Reply

indeed_2000
Motivator
‎07-04-2022 09:11 AM

Would you please explain more?

What is the different between "bin span=5m" vs "timechart span=5m"

 

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-04-2022 09:31 AM

Assuming you mean "bin _time span=5m" vs "timechart span=5m", there is no difference with respect to bucketing the _time value in the events.

The difference is that timechart will insert aggregation events whereas bin does not (and assuming you are following bin with a stats command, the chart part of timechart will create fields (columns) for each series, whereas stats has columns for each aggregation (function).

Why not try them out and see! 😀

0 Karma
Reply

indeed_2000
Motivator
‎07-05-2022 01:21 AM

@ITWhisperer  any idea?

indeed_2000_0-1657009270834.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-05-2022 01:29 AM

They look the same to me - given the data you seem to be working with - that is, there don't appear to be any gaps in the timeframe, and you aren't counting by series. If you are concerned as to whether one is better than the other, look at the job inspector to see if there is any significant difference there.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...