Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to autoregress by unique site

Amohlmann
Communicator
‎09-17-2015 04:14 PM

I get a series of unique sites sending through the size of Database. I would like to show the growth of their DB to see if it is growing too quickly.

I am currently doing this using streamstats and it works fine but is a bit messy. I feel like I could use autoregress to tidy things up, but I cannot find a way to autoregress by site ID.

My current base search leaves a table that is sorted by time but with a mix of unique sites. I would like to compare the latest result from each site with the previous result of THAT site.

Would it be possible to do something like this:

basesearch|autoregress DBSizeCurrent as DBSizePrevious by siteID p=1

This does not work, but I feel like I must be doing something wrong. Or can you not use the 'by' argument in autoregress at all?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎09-17-2015 04:35 PM

Hi Amohlmann,

the autoregress docs http://docs.splunk.com/Documentation/Splunk/6.2.6/SearchReference/Autoregress do not mention anything about the usage of by.
You could use streamstats or eventstats to get the previous event, try this run everywhere command:

index=_internal kbps>=10 | streamstats current=f last(kbps) AS last_kbps last(_time) AS last_time by _time | table _time, kbps, last_time, last_kbps

You could also use the window option for streamstats if you need more than just one previous event, see docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.6/SearchReference/Streamstats

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎09-17-2015 04:35 PM

Hi Amohlmann,

the autoregress docs http://docs.splunk.com/Documentation/Splunk/6.2.6/SearchReference/Autoregress do not mention anything about the usage of by.
You could use streamstats or eventstats to get the previous event, try this run everywhere command:

index=_internal kbps>=10 | streamstats current=f last(kbps) AS last_kbps last(_time) AS last_time by _time | table _time, kbps, last_time, last_kbps

You could also use the window option for streamstats if you need more than just one previous event, see docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.6/SearchReference/Streamstats

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

Amohlmann
Communicator
‎09-17-2015 04:36 PM

Thanks MuS, that is what I am already doing just thought there might have been a work around for autoregress.
Guess not.

Thanks for your help

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...