Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the different between "bin span=5m" vs "timechart span=5m"?

indeed_2000
Motivator
‎07-04-2022 12:19 AM

Hi
What is the different between "bin span=5m" vs "timechart span=5m"?
I mean it is better to use bin span then use timechart without timechart?
which one efficient? what is the different at all?

Thanks,

Labels (5)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-04-2022 12:32 AM

timechart will fill in the gaps in the timeline - for example, if your time range (earliest to latest) was 09:00 to 09:15, - timechart would give you events for 09:00, 09:05 and 09:10, regardless of whether there was an event, whereas bin would only give you (aggregated) events for these times if there was an event in the pipeline for the time slots.

0 Karma
Reply

indeed_2000
Motivator
‎07-04-2022 09:11 AM

Would you please explain more?

What is the different between "bin span=5m" vs "timechart span=5m"

 

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-04-2022 09:31 AM

Assuming you mean "bin _time span=5m" vs "timechart span=5m", there is no difference with respect to bucketing the _time value in the events.

The difference is that timechart will insert aggregation events whereas bin does not (and assuming you are following bin with a stats command, the chart part of timechart will create fields (columns) for each series, whereas stats has columns for each aggregation (function).

Why not try them out and see! 😀

0 Karma
Reply

indeed_2000
Motivator
‎07-05-2022 01:21 AM

@ITWhisperer  any idea?

indeed_2000_0-1657009270834.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-05-2022 01:29 AM

They look the same to me - given the data you seem to be working with - that is, there don't appear to be any gaps in the timeframe, and you aren't counting by series. If you are concerned as to whether one is better than the other, look at the job inspector to see if there is any significant difference there.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...