Create time buckets for the given table of a specified length. Each event is assigned to a time bucket based on its start and end time. The start time of the bucket is saved in lhub_start_ts
and the end time of the bucket is saved in lhub_end_ts
for each event.
Operator Usage in Easy Mode
Click + on the parent node.
Enter the Time Bucket operator in the search field and select the operator from the Results to open the operator form.
In the Table drop-down, enter or select a table to apply the operator.
In the Bucket Def, enter an integer along with a time unit that defines a timebucket.
Click Run to view the result.
Click Save to add the operator to the playbook.
Click Cancel to discard the operator form.
Usage Details
LQL Command
timeBucket(table, bucketDef)
Inputtable
: Input table for the time bucket. The table must have an lhub_ts
column.bucketDef
: String that defines a time bucket. The string has the following format: (integer)('s' or 'm' or 'h' or 'd') where 's' stands for seconds, 'm' stands for minutes, 'h' stands for hours, and 'd' stands for days. Some examples of valid strings are the following: "3s" = 3 seconds "5m" = 5 minutes. When the granularity is in days, the day boundaries are in the UTC timezone.
Output
The input table with lhub_start_ts
and lhub_end_ts
columns added.
Example
Input
table
lhub_ts |
---|
11/30/2017 23:35:29 |
11/30/2017 23:35:44 |
11/30/2017 23:35:54 |
LQL command
timeBucket(table, "10s")
Output
lhub_ts | lhub_start_ts | lhub_end_ts |
---|---|---|
11/30/2017 23:35:29 | 11/30/2017 23:35:20 | 11/30/2017 23:35:30 |
11/30/2017 23:35:44 | 11/30/2017 23:35:40 | 11/30/2017 23:35:50 |
11/30/2017 23:35:54 | 11/30/2017 23:35:50 | 11/30/2017 23:36:00 |
Notelhub_ts
is a timestamp in millisecond (long format). The UI renders it in human readable format ("mm/dd/yy HH:MM:SS").