Prepares your events for calculating the autoregression, or the moving average, by copying one or more of the previous values for field into each event.
The first few events will lack the augmentation of prior values, since the prior values do not exist.
autoregress <field> [AS <newfield>] [ p=<int> | p=<int>-<int> ]
- Syntax: <string>
- Description: The name of a field. Most usefully a field with numeric values.
- Syntax: p=<int> | p=<int>-<int>
- Description: Specifies which prior events to copy values from. You can specify a single integer or a numeric range. For a single value, such as 3, the
autoregresscommand copies field values from the third prior event into a new field. For a range, the
autoregresscommand copies field values from the range of prior events. For example, if you specify a range such as
p=2-4, then the field values from the second, third, and fourth prior events are copied into new fields.
- Default: 1
- Syntax: <field>
- Description: If
pis set to a single integer, the
newfieldargument specifies a field name to copy the single field value into. Invalid if
pis set to a range.
newfield argument is not specified, the single or multiple values are copied into fields with the names <field>_p<num>. For example, if
field=count, the field names are count_p2, count_p3, count_p4.
For each event, copy the 3rd previous value of the 'ip' field into the field 'old_ip'.
... | autoregress ip AS old_ip p=3
For each event, copy the 2nd, 3rd, 4th, and 5th previous values of the 'count' field.
... | autoregress count p=2-5
new field argument is not specified, the values are copied into the fields 'count_p2', 'count_p3', 'count_p4', and 'count_p5'.
Calculate a moving average of event size over the current event and the four prior events. This search omits the moving_average for the initial events, where the field would be wrong, because summing null fields is considered null.
... | eval rawlen=len(_raw) | autoregress rawlen p=1-4 | eval moving_average=(rawlen + rawlen_p1 + rawlen_p2 + rawlen_p3 +rawlen_p4 ) /5
This documentation applies to the following versions of Splunk Cloud Platform™: 8.0.2006, 8.0.2007, 8.1.2009, 8.1.2012, 8.1.2011, 8.1.2101, 8.1.2103, 8.2.2104, 8.2.2105 (latest FedRAMP release), 8.2.2106, 8.2.2107, 8.2.2109