Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way we can calculate moving averages - Windows & x(t)?

anirban_td
Explorer
‎05-29-2023 09:53 AM

Hello splunkers!

Is there is a way we can calculate moving/rolling averages such that the current data point, ```x(t)```, is somewhere in the middle of the window, rather than at the boundaries? 
Ex: If ```window=5```, i want the MA to be calculated like: 

 

 

MA = avg(x(t-2), x(t-1), x(t), x(t+1), x(t+2))

 

 

I am okay with using MLTK or any other method of implementing this. 

---------------------------

For reference, in the following query, I show two similar methods of calculating MA - based on previous values of x(t)
here  

 

 

MA = avg(x(t-4), x(t-3), x(t-2), x(t-1), x(t))
| makeresults count=100
| streamstats count as s
| eval n=(random() % 100000) + 1
| table s n
| streamstats window=5 avg(n) as trend
| autoregress n p=1-5
| fillnull value=0
| eval ma = avg(n, n_p1, n_p2, n_p3, n_p4)
| fields s n ma trend

 

 

---------

PS: I am aware that in both methods, the absence of earlier/later values at the boundaries will cause the MA model to be inaccurate - I am okay to work around that. 

Thanks in advance!

 

Labels (1)
Labels
0 Karma
Reply

Adnan
New Member
‎04-26-2024 06:24 AM

you can use the "windowstats" command to achieve your goal.

 

first download the windowstats app from here:

https://splunkbase.splunk.com/app/7329

 

 

 your query | windowstats field=<field name> window=4 function=avg style=gradual

 

 OR

 

 your query | windowstats field=<field name> window=4 function=avg style=dynamic

 

 

 

the difference between gradual and dynamic is how the window will be on the edges.

 

when t=0 (first element) and window size is 4 ( window=4 means 4 without counting the middle value (total window size will be 5)))

gradual will be 

 

 x(t), x(t+1), x(t+2), x(t+3), x(t+4)

 

 

dynamic will be:

 

 x(t), x(t+1), x(t+2)

 

 

when t=size (last element) and window size is 4 ( window=4 means 4 without counting the middle value (total window size will be 5)))

gradual will be 

 

x(t-4),  x(t-3),  x(t-2), x(t-1), x(t)

 

 

dynamic will be:

 

 x(t-2), x(t-1), x(t)

 

 

both dynamic and gradual work in the same way in the middle values. 

 

 

Happy Splunking! 

Tags (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-29-2023 03:19 PM

What about something like this

| makeresults count=100
| streamstats count as s
| eval n=(random() % 100000) + 1
| table s n
| streamstats window=5 avg(n) as trend
| reverse
| autoregress trend p=2 as ra
| reverse
| fillnull value=0
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...