bin command examples
The following are examples for using the SPL2
To learn more about the
bin command, see How the bin command works.
1. Return the average for a field for a specific time span
Bin the search results using a 5 minute time span on the
_time field. Return the average "thruput" of each "host" for each 5 minute time span.
...| bin span=5m _time | stats avg(thruput) by _time, host
Alternative: You can also specify the span directly with the
...| stats avg(thruput) by span(_time, 5m), host
2. Specify a bin size and return the count of raw events for each bin
Bin the search results into 10 bins for the
size field and return the count of raw events for each bin.
... | bin bins=10 size AS bin_size | stats count(_raw) BY bin_size
3. Create bins with a large end value to ensure that all possible values are included
Create bins with an end value larger than you need to ensure that all possible values are included. Bin the results based on the
... | bin end=1000 amount
4. Align the bins to a specific time and set the span to 12 hour intervals from that time
Set the span to 12h. Align the bins to 3am (local time). The bins will represent 3am - 3pm, then 3pm - 3am (the next day), and so on. Bin the results based on the
...| bin span=12h aligntime=@d+3h _time
5. Align the bins to a specific UTC time
Align the bins to the UTC time of 1500567890 for values in the
...| bin aligntime=1500567890 _time
bin command usage
branch command overview
This documentation applies to the following versions of Splunk® Cloud Services: current
Feedback submitted, thanks!