Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

bin command overview

Puts continuous numerical values into discrete sets, or bins, by adjusting the value of <field> so that all of the items in a particular set have the same value.

The bin command is automatically called by the timechart command. Use the bin command for only statistical operations that the timechart command cannot process.

Syntax

The required syntax is in bold.

bin
[<bin-options>...]
<field> [AS <newfield>]


How the bin command works

Use the bin command to group events by the numerical values in a field. Consider the following timestamps:

Event number _time Hour and minute Minutes from first time
1 2019-08-22 01:56:37.000 01:56
2 2019-08-22 01:58:21.000 01:58 2 minutes
3 2019-08-22 01:59:59.000 01:59 3 minutes
4 2019-08-22 02:03:16.000 02:03 7 minutes
5 2019-08-22 02:05:43.000 02:05 9 minutes
6 2019-08-22 02:09:38.000 02:09 13 minutes
7 2019-08-22 02:12:31.000 02:12 16 minutes

You decide to run a search that bins the search results using a 5 minute time span on the _time field.

...| bin span=5m _time


The bin command groups the timestamps in the _time field into 5 minutes intervals. The groups are:

Group Timestamps from _time Timestamp span range for each bin
1 2019-08-22 01:56:37.000

2019-08-22 01:58:21.000
2019-08-22 01:59:59.000

2019-08-22 01:56:37.000 --- 2019-08-22 02:01:36.000
2 2019-08-22 02:03:16.000

2019-08-22 02:05:43.000

2019-08-22 02:01:37.000 --- 2019-08-22 02:06:36.000
3 2019-08-22 02:09:38.000 2019-08-22 02:07:37.000 --- 2019-08-22 02:11:36.000
4 2019-08-22 02:12:31.000 2019-08-22 02:11:37.000 --- 2019-08-22 02:16:36.000


For searching purposes only, the bin command adjusts the value of _time so that all of the results use the same _time value. Commands in your search that come after the bin command will use this temporary value for _time.

The temporary timestamps for subsequent commands are the first timestamp in the span range, unless you specify a snap-to time.

Group Timestamps from _time Timestamp span range for each bin Timestamps for subsequent commands
1 2019-08-22 01:56:37.000

2019-08-22 01:58:21.000
2019-08-22 01:59:59.000

2019-08-22 01:56:37.000 --- 2019-08-22 02:01:36.000 2019-08-22 01:56:37.000
2 2019-08-22 02:03:16.000

2019-08-22 02:05:43.000

2019-08-22 02:01:37.000 --- 2019-08-22 02:06:36.000 2019-08-22 02:01:37.000
3 2019-08-22 02:09:38.000 2019-08-22 02:07:37.000 --- 2019-08-22 02:11:36.000 2019-08-22 02:07:37.000
4 2019-08-22 02:12:31.000 2019-08-22 02:11:37.000 --- 2019-08-22 02:16:36.000 2019-08-22 02:11:37.000


The bin command is frequently used in a search before the stats command. In this example, after the search results are organized into bins, the stats command returns the average "thruput" of each "host" for every 5 minute time span. The search results are arranged by _time and host.

...| bin span=5m _time | stats avg(thruput) by _time, host

See also

bin command
bin command syntax details
bin command usage
bin command examples
Last modified on 31 October, 2020
PREVIOUS
apply command overview
  NEXT
bin command syntax details

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters