bin

Description

Splits continuous numeric values into discrete sets (bins) based on the specified field <field>.

Syntax

| bin [<bin-options>...] <field> [AS <newfield>]

Required Arguments

Parameter	Syntax	Description
field	<field>	The name of the field by which data is binned.

Optional Arguments

Defines limits and parameters for splitting data during analysis:

Parameter	Syntax	Default	Description
bins	bins=<int>	100	Maximum number of bins for calculation.
span	span = (+|-)<int>(s|m|h|d|w|month)	See predefined spans	The interval for binning.
newfield	as <field>		A new name for the field.

The following format is accepted for time-based parameters: (+|-)<int>(s|m|h|d|w|month):

• s/sec/secs/second/seconds - seconds
• m/min/mins/minute/minutes - minutes
• h/hr/hrs/hour/hours - hours
• d/day/days - days
• w/week/weeks - weeks
• mon/month/months - months

Predefined span values

If the span parameter for a time field is not specified, predefined span parameters will be applied.

List of predefined span parameters:

Time Interval	span
Last 15 minutes	10 seconds
Last 60 minutes	1 minute
Last 4 hours	5 minutes
Last 24 hours	30 minutes
Last 7 days	1 day
Last 30 days	1 day
Last year	1 month

If the span parameter for a numeric field is not specified, it is calculated as (maximum field value) / (maximum number of bins).

warning

A time-based span (<int>(s|m|h|d|w|month)) cannot be specified for a numeric field, and a numeric span (<int>) cannot be specified for a time-based field.

Query Examples

Example 1

The command bins data by the time field _time into 10 bins based on a time interval:

...
| bin bins=10 _time

Example 2

The command bins data by the time field _time into bins with a span of 1 day:

...
| bin span=1d _time

Example 3

The command bins data by the numeric field amount with a span of 10:

...
|  bin span=10 amount

Example 4

The command bins data by the numeric field amount with a span of 10 and renames the field to new_amount:

...
| bin amount as new_amount