bin
The bin command groups numeric values into buckets of equal intervals, which is useful for creating histograms and analyzing data distribution. It accepts a numeric or time-based field and generates a new field containing values that represent the lower bound of each bucket.
Syntax
The bin command has the following syntax:
bin <field> [span=<interval>] [minspan=<interval>] [bins=<count>] [aligntime=(earliest | latest | <time-specifier>)] [start=<value>] [end=<value>]
Parameters
The bin command supports the following parameters.
| Parameter | Required/Optional | Description |
|---|---|---|
<field> | Required | The field to group into buckets. Accepts numeric or time-based fields. |
span | Optional | The interval size for each bin. Cannot be used with the bins or minspan parameters. Supports numeric, logarithmic (log10, 2log10), and time intervals. See Time units. |
minspan | Optional | The minimum interval size for automatic span calculation. Cannot be used with the span or bins parameters. |
bins | Optional | The maximum number of equal-width bins to create. Must be between 2 and 50000 (inclusive). Cannot be used with the span or minspan parameters. See The bins parameter for timestamp fields. |
aligntime | Optional | Align the bin times for time-based fields. Valid only for time-based discretization. Valid values are earliest, latest, or a specific time. See Align options. |
start | Optional | The starting value of the interval range. Default is the minimum value of the field. |
end | Optional | The ending value of the interval range. Default is the maximum value of the field. |
The bins parameter for timestamp fields
The bins parameter for timestamp fields has the following requirements:
- Pushdown must be enabled: Enable pushdown by setting
plugins.calcite.pushdown.enabledtotrue(enabled by default). If pushdown is disabled, use thespanparameter instead (for example,bin @timestamp span=5m). - The timestamp field must be used as an aggregation bucket: The binned timestamp field must be included in a
statsaggregation (for example,source=events | bin @timestamp bins=3 | stats count() by @timestamp). Usingbinson timestamp fields outside of aggregation buckets is not supported.
Time units
The following time units are available for the span parameter:
- Microseconds (
us) - Milliseconds (
ms) - Centiseconds (
cs) - Deciseconds (
ds) - Seconds (
s,sec,secs,second, orseconds) - Minutes (
m,min,mins,minute, orminutes) - Hours (
h,hr,hrs,hour, orhours) - Days (
d,day, ordays) - Months (
M,mon,month, ormonths)
Align time options
The following options are available for the aligntime parameter:
earliest– Align bins to the earliest timestamp in the data.latest– Align bins to the latest timestamp in the data.<time-specifier>– Align bins to a specific epoch time value or time modifier expression.
Parameter behavior
When multiple parameters are specified, the priority order is: span > minspan > bins > start/end > default.
Special parameter types
The bin command has the following special handling for certain parameter types:
- Logarithmic spans (for example,
log10or2log10) create logarithmic bin boundaries instead of linear ones. - Daily or monthly spans automatically align to calendar boundaries and return date strings (
YYYY-MM-DD) instead of timestamps. - The
aligntimeparameter applies only to time spans shorter than a day (excluding daily or monthly spans). - The
startandendparameters expand the range (they never reduce it) and affect bin width calculations.
Example 1: Basic numeric span
source=accounts
| bin age span=10
| fields age, account_number
| head 3
The query returns the following results:
| age | account_number |
|---|---|
| 30-40 | 1 |
| 30-40 | 6 |
| 20-30 | 13 |
Example 2: Large numeric span
source=accounts
| bin balance span=25000
| fields balance
| head 2
The query returns the following results:
| balance |
|---|
| 25000-50000 |
| 0-25000 |
Example 3: Logarithmic span (log10)
source=accounts
| bin balance span=log10
| fields balance
| head 2
The query returns the following results:
| balance |
|---|
| 10000.0-100000.0 |
| 1000.0-10000.0 |
Example 4: Logarithmic span with coefficient
source=accounts
| bin balance span=2log10
| fields balance
| head 3
The query returns the following results:
| balance |
|---|
| 20000.0-200000.0 |
| 2000.0-20000.0 |
| 20000.0-200000.0 |
Example 5: Basic bins parameter
source=time_test
| bin value bins=5
| fields value
| head 3
The query returns the following results:
| value |
|---|
| 8000-9000 |
| 7000-8000 |
| 9000-10000 |
Example 6: Low bin count
source=accounts
| bin age bins=2
| fields age
| head 1
The query returns the following results:
| age |
|---|
| 30-40 |
Example 7: High bin count
source=accounts
| bin age bins=21
| fields age, account_number
| head 3
The query returns the following results:
| age | account_number |
|---|---|
| 32-33 | 1 |
| 36-37 | 6 |
| 28-29 | 13 |
Example 8: Basic minspan
source=accounts
| bin age minspan=5
| fields age, account_number
| head 3
The query returns the following results:
| age | account_number |
|---|---|
| 30-40 | 1 |
| 30-40 | 6 |
| 20-30 | 13 |
Example 9: Large minspan
source=accounts
| bin age minspan=101
| fields age
| head 1
The query returns the following results:
| age |
|---|
| 0-1000 |
Example 10: Start and end range
source=accounts
| bin age start=0 end=101
| fields age
| head 1
The query returns the following results:
| age |
|---|
| 0-100 |
Example 11: Large end range
source=accounts
| bin balance start=0 end=100001
| fields balance
| head 1
The query returns the following results:
| balance |
|---|
| 0-100000 |
Example 12: Span with start/end
source=accounts
| bin age span=1 start=25 end=35
| fields age
| head 6
The query returns the following results:
| age |
|---|
| 32-33 |
| 36-37 |
| 28-29 |
| 33-34 |
Example 13: Hour span
source=time_test
| bin @timestamp span=1h
| fields @timestamp, value
| head 3
The query returns the following results:
| @timestamp | value |
|---|---|
| 2025-07-28 00:00:00 | 8945 |
| 2025-07-28 01:00:00 | 7623 |
| 2025-07-28 02:00:00 | 9187 |
Example 14: Minute span
source=time_test
| bin @timestamp span=45minute
| fields @timestamp, value
| head 3
The query returns the following results:
| @timestamp | value |
|---|---|
| 2025-07-28 00:00:00 | 8945 |
| 2025-07-28 01:30:00 | 7623 |
| 2025-07-28 02:15:00 | 9187 |
Example 15: Second span
source=time_test
| bin @timestamp span=30seconds
| fields @timestamp, value
| head 3
The query returns the following results:
| @timestamp | value |
|---|---|
| 2025-07-28 00:15:30 | 8945 |
| 2025-07-28 01:42:00 | 7623 |
| 2025-07-28 02:28:30 | 9187 |
Example 16: Daily span
source=time_test
| bin @timestamp span=7day
| fields @timestamp, value
| head 3
The query returns the following results:
| @timestamp | value |
|---|---|
| 2025-07-24 00:00:00 | 8945 |
| 2025-07-24 00:00:00 | 7623 |
| 2025-07-24 00:00:00 | 9187 |
Example 17: Aligntime with time modifier
source=time_test
| bin @timestamp span=2h aligntime='@d+3h'
| fields @timestamp, value
| head 3
The query returns the following results:
| @timestamp | value |
|---|---|
| 2025-07-27 23:00:00 | 8945 |
| 2025-07-28 01:00:00 | 7623 |
| 2025-07-28 01:00:00 | 9187 |
Example 18: Aligntime with epoch timestamp
source=time_test
| bin @timestamp span=2h aligntime=1500000000
| fields @timestamp, value
| head 3
The query returns the following results:
| @timestamp | value |
|---|---|
| 2025-07-27 22:40:00 | 8945 |
| 2025-07-28 00:40:00 | 7623 |
| 2025-07-28 00:40:00 | 9187 |
Example 19: Default behavior (no parameters)
source=accounts
| bin age
| fields age, account_number
| head 3
The query returns the following results:
| age | account_number |
|---|---|
| 32.0-33.0 | 1 |
| 36.0-37.0 | 6 |
| 28.0-29.0 | 13 |
Example 20: Binning with string fields
source=accounts
| eval age_str = CAST(age AS STRING)
| bin age_str bins=3
| stats count() by age_str
| sort age_str
The query returns the following results:
| count() | age_str |
|---|---|
| 1 | 20-30 |
| 3 | 30-40 |