You're viewing version 3.4 of the OpenSearch documentation. This version is no longer maintained. For the latest version, see the current documentation. For information about OpenSearch version maintenance, see Release Schedule and Maintenance Policy.

bin

The bin command groups numeric values into buckets of equal intervals, which is useful for creating histograms and analyzing data distribution. It accepts a numeric or time-based field and generates a new field containing values that represent the lower bound of each bucket.

Syntax

The bin command has the following syntax:

bin <field> [span=<interval>] [minspan=<interval>] [bins=<count>] [aligntime=(earliest | latest | <time-specifier>)] [start=<value>] [end=<value>]

Parameters

The bin command supports the following parameters.

Parameter	Required/Optional	Description
`<field>`	Required	The field to group into buckets. Accepts numeric or time-based fields.
`span`	Optional	The interval size for each bin. Cannot be used with the `bins` or `minspan` parameters. Supports numeric, logarithmic (`log10`, `2log10`), and time intervals. See Time units.
`minspan`	Optional	The minimum interval size for automatic span calculation. Cannot be used with the `span` or `bins` parameters.
`bins`	Optional	The maximum number of equal-width bins to create. Must be between `2` and `50000` (inclusive). Cannot be used with the `span` or `minspan` parameters. See The bins parameter for timestamp fields.
`aligntime`	Optional	Align the bin times for time-based fields. Valid only for time-based discretization. Valid values are `earliest`, `latest`, or a specific time. See Align options.
`start`	Optional	The starting value of the interval range. Default is the minimum value of the field.
`end`	Optional	The ending value of the interval range. Default is the maximum value of the field.

The bins parameter for timestamp fields

The bins parameter for timestamp fields has the following requirements:

Pushdown must be enabled: Enable pushdown by setting plugins.calcite.pushdown.enabled to true (enabled by default). If pushdown is disabled, use the span parameter instead (for example, bin @timestamp span=5m).
The timestamp field must be used as an aggregation bucket: The binned timestamp field must be included in a stats aggregation (for example, source=events | bin @timestamp bins=3 | stats count() by @timestamp). Using bins on timestamp fields outside of aggregation buckets is not supported.

Time units

The following time units are available for the span parameter:

Microseconds (us)
Milliseconds (ms)
Centiseconds (cs)
Deciseconds (ds)
Seconds (s, sec, secs, second, or seconds)
Minutes (m, min, mins, minute, or minutes)
Hours (h, hr, hrs, hour, or hours)
Days (d, day, or days)
Months (M, mon, month, or months)

Align time options

The following options are available for the aligntime parameter:

earliest – Align bins to the earliest timestamp in the data.
latest – Align bins to the latest timestamp in the data.
<time-specifier> – Align bins to a specific epoch time value or time modifier expression.

Parameter behavior

When multiple parameters are specified, the priority order is: span > minspan > bins > start/end > default.

Special parameter types

The bin command has the following special handling for certain parameter types:

Logarithmic spans (for example, log10 or 2log10) create logarithmic bin boundaries instead of linear ones.
Daily or monthly spans automatically align to calendar boundaries and return date strings (YYYY-MM-DD) instead of timestamps.
The aligntime parameter applies only to time spans shorter than a day (excluding daily or monthly spans).
The start and end parameters expand the range (they never reduce it) and affect bin width calculations.