Use variable on bucketing option

bfernandez · ‎06-15-2012

Is there any way to use a variable on the bucketing start option? It only works if you use an explicit numeric value.

| eval DemoTime = strptime(FechaIni,"%Y-%m-%d %H:%M:%S.%l") | bin DemoTime span=7d start=1339372800.000000 as weeks

Thanks in advance.

Lamar · ‎06-15-2012

It's expecting an integer there, not a string. Are you stringifying your variable by double-quoting the value?

bfernandez · ‎06-28-2012

Hi Lamar,

You are right, this option require a numeric value.

That’s the reason to use strptime that convert our human readable time string to an epoch time

Example:

adate = 2012-06-26 00:00:00.000
Initialtime = 1340661600.000000 (numeric)

Additionaly, I tried to forze this Initialtime field to numeric format with | convert num(Initialtime) as InitialtimeNum but the query always return:

Error in 'bin' command: The value for option start (InitialTime) is invalid.

Note: Splunk indicates that Convert command is mostly deprecated.

Thanks,

mikaelbje · ‎09-08-2015

Hi Borja!

Did you ever find an answer to this? I'm struggling with the same issue. Using the value of an eval field inside a command.

Lamar · ‎06-18-2012

That's not an integer though. There are integers in that string you're creating, it might look something like this:

2012-10-10 10:10:10.100

What you want to feed it is an integer. try using:

| convert ctime (ADate) as Initialtime ...

That will be the epoch conversion of that date-time, which will be an integer that the start keyword is expecting. And if it's already epoch, just pass it over to start.

bfernandez · ‎06-18-2012

Hi Lamar,

In this case, I am using another date field converter by strptime where it is assumed that the output is an integer

| eval Initialtime = strptime(ADate,"%Y-%m-%d %H:%M:%S.%l") | bin DemoTime span=7d start=Initialtime as weeks

Thanks,

Use variable on bucketing option

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!