It's always been in the start _time of the bucket for me, but that's only splunk in the versions above 6's.
Notice, you are asking for different behavior for days than you are for minutes.
If you applied the same logic to days, anything you do today will have tomorrow's date!
Same for hours. Standard bin will give 11:00 all times between 11:00:00 and up to but not including 12:00:00.
If you really want to use the end-time for _time , then you have two tweaks to do:
1) subtract an infinitesimal amount (like a microsecond) from the _time before the bin , if you want to be sure that events exactly at 10:45:00 will end up in the 10:45:00 bucket.
2) add the bin size to the in after binning.
| eval _time = _time -.000001
| bin _time span=5m
| eval _time = _time + 300
Usually, if it ever matters fro presentation and adding clarity, I just add another field for the end_time of the bin .
... View more