Splunk Search

Is it possible to autoregress by unique site

Amohlmann
Communicator

I get a series of unique sites sending through the size of Database. I would like to show the growth of their DB to see if it is growing too quickly.

I am currently doing this using streamstats and it works fine but is a bit messy. I feel like I could use autoregress to tidy things up, but I cannot find a way to autoregress by site ID.

My current base search leaves a table that is sorted by time but with a mix of unique sites. I would like to compare the latest result from each site with the previous result of THAT site.

Would it be possible to do something like this:

basesearch|autoregress DBSizeCurrent as DBSizePrevious by siteID p=1

This does not work, but I feel like I must be doing something wrong. Or can you not use the 'by' argument in autoregress at all?

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi Amohlmann,

the autoregress docs http://docs.splunk.com/Documentation/Splunk/6.2.6/SearchReference/Autoregress do not mention anything about the usage of by.
You could use streamstats or eventstats to get the previous event, try this run everywhere command:

index=_internal kbps>=10 | streamstats current=f last(kbps) AS last_kbps last(_time) AS last_time by _time | table _time, kbps, last_time, last_kbps

You could also use the window option for streamstats if you need more than just one previous event, see docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.6/SearchReference/Streamstats

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi Amohlmann,

the autoregress docs http://docs.splunk.com/Documentation/Splunk/6.2.6/SearchReference/Autoregress do not mention anything about the usage of by.
You could use streamstats or eventstats to get the previous event, try this run everywhere command:

index=_internal kbps>=10 | streamstats current=f last(kbps) AS last_kbps last(_time) AS last_time by _time | table _time, kbps, last_time, last_kbps

You could also use the window option for streamstats if you need more than just one previous event, see docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.6/SearchReference/Streamstats

Hope this helps ...

cheers, MuS

Amohlmann
Communicator

Thanks MuS, that is what I am already doing just thought there might have been a work around for autoregress.
Guess not.

Thanks for your help

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...