What is the different between "bin span=5m" vs "ti...

indeed_2000 · ‎07-04-2022

Hi
What is the different between "bin span=5m" vs "timechart span=5m"?
I mean it is better to use bin span then use timechart without timechart?
which one efficient? what is the different at all?

Thanks,

ITWhisperer · ‎07-04-2022

timechart will fill in the gaps in the timeline - for example, if your time range (earliest to latest) was 09:00 to 09:15, - timechart would give you events for 09:00, 09:05 and 09:10, regardless of whether there was an event, whereas bin would only give you (aggregated) events for these times if there was an event in the pipeline for the time slots.

indeed_2000 · ‎07-04-2022

Would you please explain more?

What is the different between "bin span=5m" vs "timechart span=5m"

ITWhisperer · ‎07-04-2022

Assuming you mean "bin _time span=5m" vs "timechart span=5m", there is no difference with respect to bucketing the _time value in the events.

The difference is that timechart will insert aggregation events whereas bin does not (and assuming you are following bin with a stats command, the chart part of timechart will create fields (columns) for each series, whereas stats has columns for each aggregation (function).

Why not try them out and see! 😀

indeed_2000 · ‎07-05-2022

@ITWhisperer any idea?

ITWhisperer · ‎07-05-2022

They look the same to me - given the data you seem to be working with - that is, there don't appear to be any gaps in the timeframe, and you aren't counting by series. If you are concerned as to whether one is better than the other, look at the job inspector to see if there is any significant difference there.

What is the different between "bin span=5m" vs "timechart span=5m"?

eval

field extraction

fields

regex

rex

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector