Answers for "Splunk Newbie: Using buckets/bins"
https://answers.splunk.com/answers/615238/splunk-newbie-using-bucketsbins.html
The latest answers for the question "Splunk Newbie: Using buckets/bins"Answer by mayurr98
https://answers.splunk.com/answering/616334/view.html
hey you can try something like this
index=<your_index> source=<your_source>
......
| eval days=round((now()-strptime(OPEN_DATE, "%m%d%Y"))/86400)
| eval t=days
| bin days span=29
| eval days=case(t>=0 AND t<29,"0-29",t>=29 AND t<58,"29-58",t>=58 AND t<87,"58-87",t>=87 AND t<116,"87-116",t>=116 AND t<145,"116-145",t>=145 AND t<174,"145-174",t>=174,"174+")
| stats count by days
| sort days
let me know if this helps!Tue, 06 Feb 2018 07:40:02 GMTmayurr98Answer by lguinn2
https://answers.splunk.com/answering/616286/view.html
I think you may need to use more of the options for the `bin` command, such as setting the number of bins.
You could also calculate this instead of trying to force bin - bin doesn't like unequal bin sizes... but I recommend the case function, which gives you complete control:
...
| eval days=round((now()-strptime(OPEN_DATE, "%m%d%Y"))/86400)
| eval day_category=case(days < 30, "0-29",
days < 59,"30-58",
days < 88,"59-87",
days < 117,"88-116",
days < 146,"117-145",
days < 175,"146-174",
true(),"174+")
| stats count by date_category
Note a couple of things about the case function: it takes the value corresponding to the first match. So if days is 118, then the day_category will be assigned to "117-145". The `true()` in the last part of the case function defines a default value, which will be used if no other test matches.
The formatting is just to make it easy to read; you can put the whole case function on a single line; Splunk doesn't care.
Finally, the categories that you defined in your desired output are overlapping. I corrected that in my case statement.
HTH!Tue, 06 Feb 2018 01:41:16 GMTlguinn2