Document toolboxDocument toolbox

timeBucket (Operator)

Create time buckets for the given table of a specified length. Each event is assigned to a time bucket based on its start and end time. The start time of the bucket is saved in lhub_start_ts and the end time of the bucket is saved in lhub_end_ts for each event.

Operator Usage in Easy Mode

  1. Click + on the parent node.

  2. Enter the Time Bucket operator in the search field and select the operator from the Results to open the operator form.

  3. In the Table drop-down, enter or select a table to apply the operator.

  4. In the Bucket Def, enter an integer along with a time unit that defines a timebucket.

  5. Click Run to view the result.

  6. Click Save to add the operator to the playbook.

  7. Click Cancel to discard the operator form.

Usage Details

LQL Command

timeBucket(table, bucketDef)

Input
table: Input table for the time bucket. The table must have an lhub_ts column.
bucketDef: String that defines a time bucket. The string has the following format: (integer)('s' or 'm' or 'h' or 'd') where 's' stands for seconds, 'm' stands for minutes, 'h' stands for hours, and 'd' stands for days. Some examples of valid strings are the following: "3s" = 3 seconds "5m" = 5 minutes. When the granularity is in days, the day boundaries are in the UTC timezone.

Output
The input table with lhub_start_ts and lhub_end_ts columns added.

Example

Input
table

lhub_ts

lhub_ts

11/30/2017 23:35:29

11/30/2017 23:35:44

11/30/2017 23:35:54

LQL command

timeBucket(table, "10s")

Output

lhub_ts

lhub_start_ts

lhub_end_ts

lhub_ts

lhub_start_ts

lhub_end_ts

11/30/2017 23:35:29

11/30/2017 23:35:20

11/30/2017 23:35:30

11/30/2017 23:35:44

11/30/2017 23:35:40

11/30/2017 23:35:50

11/30/2017 23:35:54

11/30/2017 23:35:50

11/30/2017 23:36:00

Note
lhub_ts is a timestamp in millisecond (long format). The UI renders it in human readable format ("mm/dd/yy HH:MM:SS").