timeBucket
Create time buckets for a table.
Create time buckets for the given table of a specified length. Each event is assigned to a time bucket based on its start and end time. The start time of the bucket is saved in lhub_start_ts and the end time of the bucket is saved in lhub_end_ts for each event.
Operator Usage in Easy Mode
- Click + on the parent node.
- Enter the Time Bucket operator in the search field and select the operator from the Results to open the operator form.
- In the Table drop-down, enter or select a table to apply the operator.
- In the Bucket Def, enter an integer along with a time unit that defines a timebucket.
- Click Run to view the result.
- Click Save to add the operator to the playbook.
- Click Cancel to discard the operator form.
Usage Details
timeBucket(table, bucketDef)
Input
table: Input table for the time bucket. The table must have an lhub_ts column.
bucketDef: String that defines a time bucket. The string has the following format: (integer)('s' or 'm' or 'h' or 'd') where 's' stands for seconds, 'm' stands for minutes, 'h' stands for hours, and 'd' stands for days. Some examples of valid strings are the following: "3s" = 3 seconds "5m" = 5 minutes. When the granularity is in days, the day boundaries are in the UTC timezone.
Output
The input table with lhub_start_ts and lhub_end_ts columns added.
Example
Input
table
| lhub_ts |
|---|
| 11/30/2017 23:35:29 |
| 11/30/2017 23:35:44 |
| 11/30/2017 23:35:54 |
timeBucket(table, "10s")
Output
| lhub_ts | lhub_start_ts | lhub_end_ts |
|---|---|---|
| 11/30/2017 23:35:29 | 11/30/2017 23:35:20 | 11/30/2017 23:35:30 |
| 11/30/2017 23:35:44 | 11/30/2017 23:35:40 | 11/30/2017 23:35:50 |
| 11/30/2017 23:35:54 | 11/30/2017 23:35:50 | 11/30/2017 23:36:00 |
Note
lhub_ts is a timestamp in millisecond (long format). The UI renders it in human readable format ("mm/dd/yy HH:MM:SS").
Updated about 1 year ago