how to set not continuous number span for bucket v...

cheriemilk · ‎11-04-2021

Hi team,

I have such event in splunk that log the employee number in each online meeting. I want to

find and sats the employee number distribution and percentage%

I have below query that the bin span is continuous number 100.

<baseQuery>
|bin empNumber span=100
|stats count by empNumber
|eventstats sum(count) as total
|eval ratio%=round(empNumber/total*100,2)
|fields - total,empNumber
|sort - ratio%

But now the stats requirement is changed. Because 90% online meeting has employee number less than 100, so I want to set such not continuous bins in one query

1) for online meeting that employee number less than 100, I want to set the bin value to 10

2)for online meeting that employee number greater than 100, I want to set the bin value to 100

And I don't want to query two times, stats by binvalue=100 first, then stats binvalue=10 again. I want to make it happen in one query.

Questions: how to change my existing query to meet the query requirement.

ITWhisperer · ‎11-04-2021

| eval empNumber=if(empNumber<100,(floor(empNumber/10)*10)."-".(floor((empNumber+10)/10)*10),(floor(empNumber/100)*100)."-".(floor((empNumber+100)/100)*100))

how to set not continuous number span for bucket value

stats

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join the Conversation

how to set not continuous number span for bucket value

stats

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA