I have this query, where I want to build a dataset from a variable and its 4 previous values. I can solve this like so:
| makeresults
| eval id=split("a,b,c,d,e,f,g",",")
| eval a=split("1,2,3,4,5,6,7",",")
| eval temp=mvzip(id,a,"|")
| mvexpand temp
| rex field=temp "(?P<id>[^|]+)\|(?P<a>[^|]+)"
| fields - temp
| streamstats current=false last(a) AS a_lag1
| streamstats current=false last(a_lag1) AS a_lag2
| streamstats current=false last(a_lag2) AS a_lag3
| streamstats current=false last(a_lag3) AS a_lag4
| where isnotnull(a_lag4)
| table id a*
However, if I want to extend this to say 100 previous values, this code would become convoluted and slow. I imagine there must be a better way to accomplish this goal, however my research has not produced any alternative.
Any ideas are appreciated.
Use autoregress something like this
| makeresults
| eval a=mvrange(1,102)
| mvexpand a
| autoregress a p=1-100
Use autoregress something like this
| makeresults
| eval a=mvrange(1,102)
| mvexpand a
| autoregress a p=1-100
You mean something like
| streamstats <optionally current=f> window=10 list(myfield) <optionally BY another_field>