Documentation > Splunk > Search Reference > bucket

Search Reference

 


Welcome
Search Overview
Search Commands
Custom Search Commands

bucket

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

bucket

Synopsis

Puts continuous numerical values into discrete sets.

Syntax

bucket [bucketing-option]* field [as field]

Arguments

<bucketing-option>
Datatype: bins | span | start-end
Description: Discretization options. See "Bucketing options" for details.
<field>
Datatype: <fieldname>
Description: Specify a field name.
<newfield>
Datatype: <string>
Description: A new name for the field.

Bucketing options

bins
Syntax: bins=<int>
Description: Sets the maximum number of bins to discretize into.
span
Syntax: <log-span> | <span-length>
Description: Sets the size of each bucket, using a span length based on time or log-based span.
<start-end>
Syntax: end=<num> | start=<num>
Description:Sets the minimum and maximum extents for numerical buckets. Data outside of the [start, end] range is discarded.

Log span syntax

<log-span>
[<num>]log[<num>]
Sets to log-based span. The first number is a coefficient. The second number is the base. If the first number is supplied, it must be a real number >= 1.0 and < base. Base, if supplied, must be real number > 1.0 (strictly greater than 1).

Span length syntax

span-length
<span>[<timescale>]
A span length based on time.
<span>
<int>
The span of each bin. If using a timescale, this is used as a time range. If not, this is an absolute bucket "length."
<timescale>
<sec> | <min> | <hr> | <day> | <month> | <subseconds>
Time scale units.
<sec>
s | sec | secs | second | seconds
Time scale in seconds.
<min>
m | min | mins | minute | minutes
Time scale in minutes.
<hr>
h | hr | hrs | hour | hours
Time scale in hours.
<day>
d | day | days
Time scale in days.
<month>
mon | month | months
Time scale in months.
<subseconds>
us | ms | cs | ds
Time scale in microseconds (us), milliseconds (ms), centiseconds (cs), or deciseconds (ds).

Description

Puts continuous numerical values in fields into discrete sets, or buckets. The default field processed is _time. Note: Bucket is called by chart and timechart automatically and is only needed for statistical operations that timechart and chart cannot process.

Examples

Example 1: Return the average "thruput" of each "host" for each 5 minute time span.

... | bucket _time span=5m | stats avg(thruput) by _time host

Example 2: Bucket search results into 10 bins, and return the count of raw events for each bucket.

... | bucket size bins=10 | stats count(_raw) by size


See also

chart, timechart

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0/SearchReference/Bucket"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!