The Splunk bucketing option allows you to group events into discreet buckets of information for better analysis. For example, the number of events returned from the indexed data might be overwhelming, so it makes more sense to group or bucket them by a span (or a time range) of time (seconds, minutes, hours, days, months, or even subseconds).

We can use the following example to illustrate this point:

tm1* error | stats count(_raw) by _time source

Notice the generated output:

Here is an additional example:

tm1* error | bucket _time span=5d | stats count(_raw) by _time source

The output obtained is as follows: