autoregress
Description
Prepares your events for calculating the autoregression, or the moving average, by copying one or more of the previous values for field into each event.
The first few events will lack the augmentation of prior values, since the prior values do not exist.
Syntax
autoregress <field> [AS <newfield>] [ p=<int> | p=<int>-<int> ]
Required arguments
- field
- Syntax: <string>
- Description: The name of a field. Most usefully a field with numeric values.
Optional arguments
- p
- Syntax: p=<int> | p=<int>-<int>
- Description: Specifies which prior events to copy values from. You can specify a single integer or a numeric range. For a single value, such as 3, the
autoregress
command copies field values from the third prior event into a new field. For a range, theautoregress
command copies field values from the range of prior events. For example, if you specify a range such asp=2-4
, then the field values from the second, third, and fourth prior events are copied into new fields. - Default: 1
- newfield
- Syntax: <field>
- Description: If
p
is set to a single integer, thenewfield
argument specifies a field name to copy the single field value into. Invalid ifp
is set to a range.
If the newfield
argument is not specified, the single or multiple values are copied into fields with the names <field>_p<num>. For example, if p=2-4
and field=count
, the field names are count_p2, count_p3, count_p4.
Usage
The autoregress
command is a centralized streaming command. See Command types.
Examples
Example 1:
For each event, copy the 3rd previous value of the 'ip' field into the field 'old_ip'.
... | autoregress ip AS old_ip p=3
Example 2:
For each event, copy the 2nd, 3rd, 4th, and 5th previous values of the 'count' field.
... | autoregress count p=2-5
Since the new field
argument is not specified, the values are copied into the fields 'count_p2', 'count_p3', 'count_p4', and 'count_p5'.
Example 3:
Calculate a moving average of event size over the current event and the four prior events. This search omits the moving_average for the initial events, where the field would be wrong, because summing null fields is considered null.
... | eval rawlen=len(_raw) | autoregress rawlen p=1-4 | eval moving_average=(rawlen + rawlen_p1 + rawlen_p2 + rawlen_p3 +rawlen_p4 ) /5
See also
audit | awssnsalert |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!