bin command overview
The SPL2 bin command puts continuous numerical values into discrete sets, or bins, by adjusting the value of <field> so that all of the items in a particular set have the same value.
The SPL2 bin command is automatically called by the SPl2 timechart command. Use the bin command for only statistical operations that the timechart command cannot process.
Syntax
The required syntax is in bold.
- bin
- [<bin-options>...]
- <field> [AS <newfield>]
How the SPL2 bin command works
Use the SPL2 bin command to group events by the numerical values in a field. Consider the following timestamps:
| Event number | _time | Hour and minute | Minutes from first time |
|---|---|---|---|
| 1 | 22 Aug 2021 01:56:37 AM | 01:56 | |
| 2 | 22 Aug 2021 01:58:21 AM | 01:58 | 2 minutes |
| 3 | 22 Aug 2021 01:59:59 AM | 01:59 | 3 minutes |
| 4 | 22 Aug 2021 02:03:16 AM | 02:03 | 7 minutes |
| 5 | 22 Aug 2021 02:05:43 AM | 02:05 | 9 minutes |
| 6 | 22 Aug 2021 02:09:38 AM | 02:09 | 13 minutes |
| 7 | 22 Aug 2021 02:12:31 AM | 02:12 | 16 minutes |
You decide to run a search that bins the search results using a 5 minute time span on the _time field.
...| bin span=5m _time
The bin command groups the timestamps in the _time field into 5 minutes intervals. The groups are:
| Group | Timestamps from _time | Timestamp span range for each bin |
|---|---|---|
| 1 | 22 Aug 2021 01:56:37 AM 22 Aug 2021 01:58:21 AM |
22 Aug 2021 01:56:37 AM --- 22 Aug 2021 02:01:36 AM |
| 2 | 22 Aug 2021 02:03:16 AM 22 Aug 2021 02:05:43 AM |
22 Aug 2021 02:01:37 AM --- 22 Aug 2021 02:06:36 AM |
| 3 | 22 Aug 2021 02:09:38 AM | 22 Aug 2021 02:07:37 AM --- 22 Aug 2021 02:11:36 AM |
| 4 | 22 Aug 2021 02:12:31 AM | 22 Aug 202102:11:37 AM --- 22 Aug 2021 02:16:36 AM |
For searching purposes only, the bin command adjusts the value of _time so that all of the results use the same _time value. Commands in your search that come after the bin command will use this temporary value for _time.
The temporary timestamps for subsequent commands are the first timestamp in the span range, unless you specify a snap-to time.
| Group | Timestamps from _time | Timestamp span range for each bin | Timestamps for subsequent commands |
|---|---|---|---|
| 1 | 22 Aug 2021 01:56:37 AM 22 Aug 2021 01:58:21 AM |
22 Aug 2021 01:56:37 AM --- 22 Aug 2021 02:01:36 AM | 22 Aug 2021 01:56:37 AM |
| 2 | 22 Aug 2021 02:03:16 AM 22 Aug 2021 02:05:43 AM |
22 Aug 2021 02:01:37 AM --- 22 Aug 2021 02:06:36 AM | 22 Aug 2021 02:01:37 AM |
| 3 | 22 Aug 2021 02:09:38 AM | 22 Aug 2021 02:07:37 AM --- 22 Aug 2021 02:11:36 AM | 22 Aug 2021 02:07:37 AM |
| 4 | 22 Aug 2021 02:12:31 AM | 22 Aug 2021 02:11:37 AM --- 2019-08-22 02:16:36 AM | 22 Aug 2021 02:11:37 AM |
The bin command is frequently used in a search before the stats command. In this example, after the search results are organized into bins, the stats command returns the average "thruput" of each "host" for every 5 minute time span. The search results are arranged by _time and host.
...| bin span=5m _time | stats avg(thruput) by _time, host
See also
| SPL2 Command Quick Reference | bin command syntax details |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!