Documentation > Splunk > Search Reference > bucket

Search Reference

 


Introduction
Search Reference Overview
Search Commands and Functions
Search Command Reference
Internal Search Commands
Search in the CLI

bucket

Contents

bucket

Synopsis

Puts continuous numerical values into discrete sets.

Syntax

bucket [<bucketing-option>]* <field> [as <field>]

Required arguments

<field>
Datatype: <field>
Description: Specify a field name.

Optional arguments

<bucketing-option>
Datatype: bins | minspan | span | start-end
Description: Discretization options. See "Bucketing options" for details.
<newfield>
Datatype: <string>
Description: A new name for the field.

Bucketing options

bins
Syntax: bins=<int>
Description: Sets the maximum number of bins to discretize into.
minspan
Syntax: minspan=<span-length>
Description: Specifies the smallest span granularity to use automatically inferring span from the data time range.
span
Syntax: span = <log-span> | <span-length>
Description: Sets the size of each bucket, using a span length based on time or log-based span.
<start-end>
Syntax: end=<num> | start=<num>
Description:Sets the minimum and maximum extents for numerical buckets. Data outside of the [start, end] range is discarded.

Log span syntax

<log-span>
Syntax: [<num>]log[<num>]
Description: Sets to log-based span. The first number is a coefficient. The second number is the base. If the first number is supplied, it must be a real number >= 1.0 and < base. Base, if supplied, must be real number > 1.0 (strictly greater than 1).

Span length syntax

span-length
Syntax: <int>[<timescale>]
Description: A span of each bin. If discretizing based on the _time field or used with a timescale, this is treated as a time range. If not, this is an absolute bucket length.
<timescale>
Syntax: <sec> | <min> | <hr> | <day> | <month> | <subseconds>
Description: Time scale units. If discretizing based on the _time field, this defaults to seconds.
<sec>
Syntax: s | sec | secs | second | seconds
Description: Time scale in seconds.
<min>
Syntax: m | min | mins | minute | minutes
Description: Time scale in minutes.
<hr>
Syntax: h | hr | hrs | hour | hours
Description: Time scale in hours.
<day>
Syntax: d | day | days
Description: Time scale in days.
<month>
Syntax: mon | month | months
Description: Time scale in months.
<subseconds>
Syntax: us | ms | cs | ds
Description: Time scale in microseconds (us), milliseconds (ms), centiseconds (cs), or deciseconds (ds).

Description

Puts continuous numerical values in fields into discrete sets, or buckets. The default field processed is _time. Note: Bucket is called by chart and timechart automatically and is only needed for statistical operations that timechart and chart cannot process.

Examples

Example 1: Return the average "thruput" of each "host" for each 5 minute time span.

... | bucket _time span=5m | stats avg(thruput) by _time host

Example 2: Bucket search results into 10 bins, and return the count of raw events for each bucket.

... | bucket size bins=10 | stats count(_raw) by size

See also

chart, timechart

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the bucket command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Bucket"

This documentation applies to the following versions of Splunk: 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 , 5.0.3 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!