On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor.
For documentation on the most recent version, go to the latest release.
Bin
Puts continuous numerical values into discrete sets, or bins, by adjusting the value of <field> so that all of the items in a particular set have the same value.
- Function Input
collection<record<R>>- This function takes in collections of records with schema R.
- Function Output
collection<record<S>>- This function outputs the same collection of records but with a different schema S.
Arguments
| Argument | Input | Description | UI example |
|---|---|---|---|
| field | string | The name of the field to bin. The value of the field must be a numerical. | timestamp |
| result | string | Optional. A new name for the field. | time |
| span | string | Sets the size of each bin, using a span length based on time or log-based span. | 5m |
| aligntime | string | Optional. Align the bin times to something other than base UTC time (epoch 0). The aligntime option is valid only when doing a time-based discretization. Ignored if span is in days, months, or years. Aligntime of earliest and latest are not supported. | 4h |
Span options
log-span- Syntax: [<num>]log[<num>]
- Description: Sets to logarithm-based span. The first number is a coefficient. The second number is the base. If the first number is supplied, it must be a real number >= 1.0 and < the base number. Base, if supplied, must be real number > 1.0 (strictly greater than 1).
- Example: span=2log10
span-length- Syntax: <int>[<timescale>]
- Description: A span of each bin. If discretizing based on the
_timefield or used with a timescale, this is treated as a time range. If not, this is an absolute bin length.
timescale- Syntax: <sec> | <min> | <hr> | <day> | <month> | <subseconds>
- Description: Time scale units. If discretizing based on the
_timefield. - Default: sec
| Time scale | Syntax | Description |
|---|---|---|
| <sec> | sec | secs | second | seconds | Time scale in seconds. |
| <min> | min | mins | minute | minutes | Time scale in minutes. |
| <hr> | hr | hrs | hour | Time scale in hours. |
| <day> | day | days | Time scale in days. |
| <month> | month | months | Time scale in months. |
| <subseconds> | ms | cs | ds | Time scale in microseconds (us), milliseconds (ms), centiseconds (cs), or deciseconds (ds). |
DSL example
bin(input, "timestamp", null, "1h", null);
Last modified on 02 January, 2020
| Batch Events | Break Events |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.0.1
Download manual
Feedback submitted, thanks!