Splunk Cloud Platform

Splunk Observability Cloud Splunk IT Service Intelligence Splunk Cloud Platform Splunk Enterprise Data Management Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings AppDynamics SaaS About This Site Community Support Supported Add-ons

Splunk Observability Cloud Splunk IT Service Intelligence Splunk Cloud Platform Splunk Enterprise Data Management Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings AppDynamics SaaS About This Site Community Support Supported Add-ons

Documentation

Splunk Cloud Platform

Splunk Cloud Platform Contents

Get Started

Administer

Manage Knowledge Objects

Search

SPL2 Search Reference

Leverage REST APIs

Release Notes

Analytics and Insights

Create Dashboards and Reports

Alert and Respond

Apply Machine Learning

Data Sources

Get Data In

Ingest Data from Cloud Services

Forward and Process Data

Process Data at the Edge

Process Data at Ingest Time

Collect Stream Data

Connect Relational Databases

REST API Reference

SPL Search Reference

Splunk Validated Architectures

bin command: Examples

The following are examples for using the SPL2 bin command. To learn more about the SPL2 bin command, see How the SPL2 bin command works.

1. Return the average for a field for a specific time span

Bin the search results using a 5 minute time span on the _time field. Return the average "thruput" of each "host" for each 5 minute time span.

...| bin span=5m _time  | stats avg(thruput) by _time, host

Alternative: You can also specify the span directly with the stats command.

...| stats avg(thruput) by span(_time, 5m), host

2. Specify a bin size and return the count of raw events for each bin

Bin the search results into 10 bins for the size field and return the count of raw events for each bin.

... | bin bins=10 size AS bin_size | stats count(_raw) BY bin_size

3. Create bins with a large end value to ensure that all possible values are included

Create bins with an end value larger than you need to ensure that all possible values are included. Bin the results based on the amount field.

... | bin end=1000 amount

4. Align the bins to a specific time and set the span to 12 hour intervals from that time

Set the span to 12h. Align the bins to 3am (local time). The bins will represent 3am - 3pm, then 3pm - 3am (the next day), and so on. Bin the results based on the _time field.

...| bin span=12h aligntime=@d+3h _time

5. Align the bins to a specific UTC time

Align the bins to the UTC time of 1500567890 for values in the _time field.

...| bin aligntime=1500567890 _time

See also

bin command

bin command: Overview, syntax, and usage

ON THIS PAGE

1. Return the average for a field for a specific time span
2. Specify a bin size and return the count of raw events for each bin
3. Create bins with a large end value to ensure that all possible values are included
4. Align the bins to a specific time and set the span to 12 hour intervals from that time
5. Align the bins to a specific UTC time
See also

Last updated: May 28, 2025

Explore Topics

Splunk Observability Cloud

Splunk IT Service Intelligence

Splunk Cloud Platform

Splunk Enterprise

Data Management

Splunk Enterprise Security 8

Splunk Enterprise Security 7

Splunk SOAR

Security Offerings

AppDynamics SaaS

About This Site

Community Support

Supported Add-ons

©2005-2025 Splunk Inc. All rights reserved.