Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the different between "bin span=5m" vs "timechart span=5m"?

indeed_2000
Motivator
‎07-04-2022 12:19 AM

Hi
What is the different between "bin span=5m" vs "timechart span=5m"?
I mean it is better to use bin span then use timechart without timechart?
which one efficient? what is the different at all?

Thanks,

Labels (5)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-04-2022 12:32 AM

timechart will fill in the gaps in the timeline - for example, if your time range (earliest to latest) was 09:00 to 09:15, - timechart would give you events for 09:00, 09:05 and 09:10, regardless of whether there was an event, whereas bin would only give you (aggregated) events for these times if there was an event in the pipeline for the time slots.

0 Karma
Reply

indeed_2000
Motivator
‎07-04-2022 09:11 AM

Would you please explain more?

What is the different between "bin span=5m" vs "timechart span=5m"

 

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-04-2022 09:31 AM

Assuming you mean "bin _time span=5m" vs "timechart span=5m", there is no difference with respect to bucketing the _time value in the events.

The difference is that timechart will insert aggregation events whereas bin does not (and assuming you are following bin with a stats command, the chart part of timechart will create fields (columns) for each series, whereas stats has columns for each aggregation (function).

Why not try them out and see! 😀

0 Karma
Reply

indeed_2000
Motivator
‎07-05-2022 01:21 AM

@ITWhisperer  any idea?

indeed_2000_0-1657009270834.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-05-2022 01:29 AM

They look the same to me - given the data you seem to be working with - that is, there don't appear to be any gaps in the timeframe, and you aren't counting by series. If you are concerned as to whether one is better than the other, look at the job inspector to see if there is any significant difference there.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...