Splunk Cloud Platform

Search Reference



Computes the moving averages of fields: simple moving average (sma), exponential moving average (ema), and weighted moving average (wma) The output is written to a new field, which you can specify.

SMA and WMA both compute a sum over the period of most recent values. WMA puts more weight on recent values rather than past values. EMA is calculated using the following formula.

EMA(t) = alpha * EMA(t-1) + (1 - alpha) * field(t)

where alpha = 2/(period + 1) and field(t) is the current value of a field.


trendline ( <trendtype><period>"("<field>")" [AS <newfield>] )...

Required arguments

Syntax: sma | ema | wma
Description: The type of trend to compute. Current supported trend types include simple moving average (sma), exponential moving average (ema), and weighted moving average (wma).
Syntax: <num>
Description: The period over which to compute the trend, an integer between 2 and 10000.
Syntax: "("<field>")"
Description: The name of the field on which to calculate the trend.

Optional arguments

Syntax: <field>
Description: Specify a new field name to write the output to.
Default: <trendtype><period>(<field>)



Example 1: Computes a five event simple moving average for field 'foo' and writes the result to new field called 'smoothed_foo.' Also, in the same line, computes ten event exponential moving average for field 'bar'. Because no AS clause is specified, writes the result to the field 'ema10(bar)'.

... | trendline sma5(foo) AS smoothed_foo ema10(bar)

Example 2: Overlay a trendline over a chart of events by month.

index="bar" | stats count BY date_month | trendline sma2(count) AS trend | fields * trend

See also

accum, autoregress, delta, streamstats

Last modified on 22 July, 2020
transpose   tscollect

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 8.2.2203, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308 (latest FedRAMP release), 9.1.2312, 9.2.2403

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters