Currenly using bucket() and timechart() can produce "incomplete buckets", starting or ending outside the selected search interval. Also its not obvious where the first bucket will start or how many buckets you will get.
To make bucketing easier to understand and deal with I would like
An option to always start the first bucket at the beginning of the selected search interval (that way you will only ever have to deal with partial buckets at the end)
An option to exclude any incomplete buckets from the search result, or mark them as incomplete by adding a new field the user can filter on afterwards.
In v1.9 a new timechart Styling option was added to exclude the latest bucket, which helps a bit, but doesn't really solve the problem:
You can still get incomplete buckets at the start of the search period
Doesn't help when using e.g. bucket() for a table-result instead of displaying a timechart
If the search interval only contains one (complete) bucket, that bucket will also be hidden
Heres an example from one of our users
Lets say you want to calculate an average count per week. You select a search interval of 14 whole days, then calculate the count per 1-week bucket, then take the avg with avg(_count)
start=2020-05-13T00:00:00, end=2020-05-27T00:00:00, query=bucket(span=1week)
_bucket | _count | note
2020-05-07 00:00:00 | 10 | only 1 day of data in this 1-week bucket
2020-05-14 00:00:00 | 70 | complete bucket
2020-05-21 00:00:00 | 60 | only 6 days of data in this 1-week bucket
Then trying to take the average of these week-buckets' counts you would obviously get an incorrect result if you expected each bucket to span a full week.
Also, if you shift the search interval one day forward you get just two 1week buckets over these 14 whole days, seems the "week" modifier always starts buckets on thursdays?
Currenly using
bucket()andtimechart()can produce "incomplete buckets", starting or ending outside the selected search interval. Also its not obvious where the first bucket will start or how many buckets you will get.To make bucketing easier to understand and deal with I would like
In v1.9 a new timechart Styling option was added to exclude the latest bucket, which helps a bit, but doesn't really solve the problem:
bucket()for a table-result instead of displaying a timechartHeres an example from one of our users
Lets say you want to calculate an average count per week. You select a search interval of 14 whole days, then calculate the count per 1-week bucket, then take the avg with
avg(_count)Then trying to take the average of these week-buckets' counts you would obviously get an incorrect result if you expected each bucket to span a full week.
Also, if you shift the search interval one day forward you get just two 1week buckets over these 14 whole days, seems the "week" modifier always starts buckets on thursdays?