Splunk Cloud Platform

Search Reference

autoregress

Description

Prepares your events for calculating the autoregression, or the moving average, by copying one or more of the previous values for field into each event.

The first few events will lack the augmentation of prior values, since the prior values do not exist.

Syntax

autoregress <field> [AS <newfield>] [ p=<int> | p=<int>-<int> ]

Required arguments

field
Syntax: <string>
Description: The name of a field. Most usefully a field with numeric values.

Optional arguments

p
Syntax: p=<int> | p=<int>-<int>
Description: Specifies which prior events to copy values from. You can specify a single integer or a numeric range. For a single value, such as 3, the autoregress command copies field values from the third prior event into a new field. For a range, the autoregress command copies field values from the range of prior events. For example, if you specify a range such as p=2-4, then the field values from the second, third, and fourth prior events are copied into new fields.
Default: 1
newfield
Syntax: <field>
Description: If p is set to a single integer, the newfield argument specifies a field name to copy the single field value into. Invalid if p is set to a range.

If the newfield argument is not specified, the single or multiple values are copied into fields with the names <field>_p<num>. For example, if p=2-4 and field=count, the field names are count_p2, count_p3, count_p4.

Usage

The autoregress command is a centralized streaming command. See Command types.

Examples

Example 1:

For each event, copy the 3rd previous value of the 'ip' field into the field 'old_ip'.

... | autoregress ip AS old_ip p=3

Example 2:

For each event, copy the 2nd, 3rd, 4th, and 5th previous values of the 'count' field.

... | autoregress count p=2-5

Since the new field argument is not specified, the values are copied into the fields 'count_p2', 'count_p3', 'count_p4', and 'count_p5'.

Example 3:

Calculate a moving average of event size over the current event and the four prior events. This search omits the moving_average for the initial events, where the field would be wrong, because summing null fields is considered null.

... | eval rawlen=len(_raw) | autoregress rawlen p=1-4 | eval moving_average=(rawlen + rawlen_p1 + rawlen_p2 + rawlen_p3 +rawlen_p4 ) /5

See also

accum, delta, streamstats, trendline

Last modified on 13 November, 2021
audit   awssnsalert

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters