Solved: Alternative to streamstats+last

duesser · ‎11-28-2023

I have this query, where I want to build a dataset from a variable and its 4 previous values. I can solve this like so:

| makeresults
| eval id=split("a,b,c,d,e,f,g",",")
| eval a=split("1,2,3,4,5,6,7",",")
| eval temp=mvzip(id,a,"|")
| mvexpand temp
| rex field=temp "(?P<id>[^|]+)\|(?P<a>[^|]+)"
| fields - temp
| streamstats current=false last(a) AS a_lag1
| streamstats current=false last(a_lag1) AS a_lag2
| streamstats current=false last(a_lag2) AS a_lag3
| streamstats current=false last(a_lag3) AS a_lag4
| where isnotnull(a_lag4)
| table id a*

However, if I want to extend this to say 100 previous values, this code would become convoluted and slow. I imagine there must be a better way to accomplish this goal, however my research has not produced any alternative.

Any ideas are appreciated.

ITWhisperer · ‎11-28-2023

Use autoregress something like this

| makeresults
| eval a=mvrange(1,102)
| mvexpand a
| autoregress a p=1-100

View solution in original post

ITWhisperer · ‎11-28-2023

Use autoregress something like this

| makeresults
| eval a=mvrange(1,102)
| mvexpand a
| autoregress a p=1-100

PickleRick · ‎11-28-2023

You mean something like

| streamstats <optionally current=f> window=10 list(myfield) <optionally BY another_field>

Alternative to streamstats+last

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?