Splunk® Enterprise

Search Reference

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

bin

The bucket command is an alias for the bin command.

Description

Puts continuous numerical values into discrete sets, or bins, by adjusting the value of field so that all of the items in a particular set have the same value.

The bin command is automatically called by the chart and the timechart commands. Use the bin command for only statistical operations that the chart and the timechart commands cannot process.

Syntax

bin [<bin-options>...] <field> [AS <newfield>]

Required arguments

field
Syntax: <field>
Description: Specify a field name.

Optional arguments

bin-options
Syntax: bins | minspan | span | start-end
Description: Discretization options. See the Bins options section in this topic for the syntax and description for each of these options.
newfield
Syntax: <string>
Description: A new name for the field.

Bin options

bins
Syntax: bins=<int>
Description: Sets the maximum number of bins to discretize into.
minspan
Syntax: minspan=<span-length>
Description: Specifies the smallest span granularity to use automatically inferring span from the data time range.
span
Syntax: span = <log-span> | <span-length>
Description: Sets the size of each bin, using a span length based on time or log-based span.
<start-end>
Syntax: start=<num> | end=<num>
Description: Sets the minimum and maximum extents for numerical bins. The data in the field is analyzed and the beginning and ending values are determined. The start and end arguments are used when a span value is not specified.
You can use the start or end arguments only to expand the range, not to shorten the range. For example, if the field represents seconds the values are from 0-59. If you specify a span of 10, then the bins are calculated in increments of 10. The bins are 0-9, 10-19, 20-29, and so forth. If you do not specify a span, but specify end=1000, the bins are calculated based on the actual beginning value and 1000 as the end value.
If you set end=10 and the values are >10, the end argument has no effect.

Span options

log-span
Syntax: [<num>]log[<num>]
Description: Sets to log-based span. The first number is a coefficient. The second number is the base. If the first number is supplied, it must be a real number >= 1.0 and < base. Base, if supplied, must be real number > 1.0 (strictly greater than 1).
Example: span=2log10
span-length
Syntax: <int>[<timescale>]
Description: A span of each bin. If discretizing based on the _time field or used with a timescale, this is treated as a time range. If not, this is an absolute bin length.
<timescale>
Syntax: <sec> | <min> | <hr> | <day> | <month> | <subseconds>
Description: Time scale units. If discretizing based on the _time field.
Default: sec
Time scale Syntax Description
<sec> s | sec | secs | second | seconds Time scale in seconds.
<min> m | min | mins | minute | minutes Time scale in minutes.
<hr> h | hr | hrs | hour | hours Time scale in hours.
<day> d | day | days Time scale in days.
<month> mon | month | months Time scale in months.
<subseconds> us | ms | cs | ds Time scale in microseconds (us), milliseconds (ms), centiseconds (cs), or deciseconds (ds)

Usage

The bin command is usually a dataset processing command. If the span argument is specified with the command, the bin command is a streaming command.

Examples

Example 1:

Return the average "thruput" of each "host" for each 5 minute time span.

... | bin _time span=5m | stats avg(thruput) by _time host

Example 2:

Bin search results into 10 bins, and return the count of raw events for each bin.

... | bin size bins=10 | stats count(_raw) by size

Example 3:

Create bins with an end value larger than you need, ensure that all possible values are included.

... | bin amount end=1000

See also

chart, timechart

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the bin command.

Last modified on 28 March, 2019
awssnsalert   bucket

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters