bin command examples
The following are examples for using the SPL2 bin command.
To learn more about the SPL2 bin command, see How the SPL2 bin command works.
1. Return the average for a field for a specific time span
Bin the search results using a 5 minute time span on the _time field. Return the average "thruput" of each "host" for each 5 minute time span.
...| bin span=5m _time | stats avg(thruput) by _time, host
Alternative: You can also specify the span directly with the stats command.
...| stats avg(thruput) by span(_time, 5m), host
2. Specify a bin size and return the count of raw events for each bin
Bin the search results into 10 bins for the size field and return the count of raw events for each bin.
... | bin bins=10 size AS bin_size | stats count(_raw) BY bin_size
3. Create bins with a large end value to ensure that all possible values are included
Create bins with an end value larger than you need to ensure that all possible values are included. Bin the results based on the amount field.
... | bin end=1000 amount
4. Align the bins to a specific time and set the span to 12 hour intervals from that time
Set the span to 12h. Align the bins to 3am (local time). The bins will represent 3am - 3pm, then 3pm - 3am (the next day), and so on. Bin the results based on the _time field.
...| bin span=12h aligntime=@d+3h _time
5. Align the bins to a specific UTC time
Align the bins to the UTC time of 1500567890 for values in the _time field.
...| bin aligntime=1500567890 _time
See also
| bin command usage | branch command overview |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!