Skip to main content

bin

Description

Splits continuous numeric values into discrete sets (bins) based on the specified field <field>.

Syntax

| bin [<bin-options>...] <field> [AS <newfield>]

Required Arguments

ParameterSyntaxDescription
field<field>The name of the field by which data is binned.

Optional Arguments

Defines limits and parameters for splitting data during analysis:

ParameterSyntaxDefaultDescription
binsbins=<int>100Maximum number of bins for calculation.
spanspan = (+|-)<int>(s|m|h|d|w|month)See predefined spansThe interval for binning.
newfieldas <field>A new name for the field.

The following format is accepted for time-based parameters: (+|-)<int>(s|m|h|d|w|month):

  • s/sec/secs/second/seconds - seconds
  • m/min/mins/minute/minutes - minutes
  • h/hr/hrs/hour/hours - hours
  • d/day/days - days
  • w/week/weeks - weeks
  • mon/month/months - months
Predefined span values

If the span parameter for a time field is not specified, predefined span parameters will be applied.

List of predefined span parameters:

Time Intervalspan
Last 15 minutes10 seconds
Last 60 minutes1 minute
Last 4 hours5 minutes
Last 24 hours30 minutes
Last 7 days1 day
Last 30 days1 day
Last year1 month

If the span parameter for a numeric field is not specified, it is calculated as (maximum field value) / (maximum number of bins).

warning

A time-based span (<int>(s|m|h|d|w|month)) cannot be specified for a numeric field, and a numeric span (<int>) cannot be specified for a time-based field.

Query Examples

Example 1

The command bins data by the time field _time into 10 bins based on a time interval:

...
| bin bins=10 _time

Example 2

The command bins data by the time field _time into bins with a span of 1 day:

...
| bin span=1d _time

Example 3

The command bins data by the numeric field amount with a span of 10:

...
|  bin span=10 amount

Example 4

The command bins data by the numeric field amount with a span of 10 and renames the field to new_amount:

...
| bin amount as new_amount