Create time buckets for a table.

Create time buckets for the given table of a specified length. Each event is assigned to a time bucket based on its start and end time. The start time of the bucket is saved in lhub_start_ts and the end time of the bucket is saved in lhub_end_ts for each event.

Operator Usage in Easy Mode

  1. Click + on the parent node.
  2. Enter the Time Bucket operator in the search field and select the operator from the Results to open the operator form.
  3. In the Table drop-down, enter or select a table to apply the operator.
  4. In the Bucket Def, enter an integer along with a time unit that defines a timebucket.
  5. Click Run to view the result.
  6. Click Save to add the operator to the playbook.
  7. Click Cancel to discard the operator form.

Usage Details

timeBucket(table, bucketDef)

table: Input table for the time bucket. The table must have an lhub_ts column.
bucketDef: String that defines a time bucket. The string has the following format: (integer)('s' or 'm' or 'h' or 'd') where 's' stands for seconds, 'm' stands for minutes, 'h' stands for hours, and 'd' stands for days. Some examples of valid strings are the following: "3s" = 3 seconds "5m" = 5 minutes. When the granularity is in days, the day boundaries are in the UTC timezone.

The input table with lhub_start_ts and lhub_end_ts columns added.



11/30/2017 23:35:29
11/30/2017 23:35:44
11/30/2017 23:35:54
timeBucket(table, "10s")


11/30/2017 23:35:2911/30/2017 23:35:2011/30/2017 23:35:30
11/30/2017 23:35:4411/30/2017 23:35:4011/30/2017 23:35:50
11/30/2017 23:35:5411/30/2017 23:35:5011/30/2017 23:36:00

lhub_ts is a timestamp in millisecond (long format). The UI renders it in human readable format ("mm/dd/yy HH:MM:SS").

Did this page help you?