Solved: Alternative to streamstats+last

duesser · ‎11-28-2023

I have this query, where I want to build a dataset from a variable and its 4 previous values. I can solve this like so:

| makeresults
| eval id=split("a,b,c,d,e,f,g",",")
| eval a=split("1,2,3,4,5,6,7",",")
| eval temp=mvzip(id,a,"|")
| mvexpand temp
| rex field=temp "(?P<id>[^|]+)\|(?P<a>[^|]+)"
| fields - temp
| streamstats current=false last(a) AS a_lag1
| streamstats current=false last(a_lag1) AS a_lag2
| streamstats current=false last(a_lag2) AS a_lag3
| streamstats current=false last(a_lag3) AS a_lag4
| where isnotnull(a_lag4)
| table id a*

However, if I want to extend this to say 100 previous values, this code would become convoluted and slow. I imagine there must be a better way to accomplish this goal, however my research has not produced any alternative.

Any ideas are appreciated.

ITWhisperer · ‎11-28-2023

Use autoregress something like this

| makeresults
| eval a=mvrange(1,102)
| mvexpand a
| autoregress a p=1-100

View solution in original post

ITWhisperer · ‎11-28-2023

Use autoregress something like this

| makeresults
| eval a=mvrange(1,102)
| mvexpand a
| autoregress a p=1-100

PickleRick · ‎11-28-2023

You mean something like

| streamstats <optionally current=f> window=10 list(myfield) <optionally BY another_field>

Alternative to streamstats+last

other

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!