The Chronosphere • Room 3

Bucketing Time

The **bin** (or bucket) command puts continuous numerical values or time spans into discrete sets.

Instead of seeing a log for every second, you can bin `_time` into 1-hour chunks, then calculate the stats per chunk.

Hourly Buckets

index=main | bin _time span=1h | stats sum(bytes) by _time

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Use the bin command to bucket _time into spans of "1d" (1 day).

Splunk Search Bar