Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Streamstats vs autoregress

PickleRick
SplunkTrust
SplunkTrust
‎11-16-2021 09:57 AM

Hello.

I've noticed that in many solutions when there is a need for a value from previous row, streamstats with window=1 is used. For example - https://community.splunk.com/t5/Splunk-Search/Unable-to-subtract-one-days-hours-from-previous-days-t...

In similar cases I tended to use autoregress which behaves more or less the same.

The question is - what are pros/cons of each of those commands? Do they have some non-obvious limitations? Is any "better" than the other?

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-16-2021 12:32 PM

@PickleRick 

I've found that autoregress has far less applicability that the equivalent streamstats. The main 'limitation' autoregress has in my view is that is does not cope with any split by clause and in almost every case I have wanted to calculate moving averages, I have needed a split by clause.

Also, autoregress will just copy values from previous rows to the current row and if you still want to calculate ranges between those values, you must run a subsequent calculation to work out the difference, e.g. compare

index=_audit
| streamstats window=2 range(_time) as r
| autoregress _time as t p=1 
| eval d=t-_time
| table _time r t d

@ITWhisperer example in your link showing streamstats with the window of 1 and then the eval, can be done with the window of 2 and the range() clause, as above.

As you can see from this split by clause, autoregress cannot handle the calculation of d when looking at the user.

index=_audit
| streamstats global=f window=2 range(_time) as r by user
| autoregress _time as t p=1 
| eval d=t-_time
| table _time user r t d

As for performance, I've not tested comparisons for either, but both are centralized streaming commands, meaning both will run on the search head, so should always work on the smallest dataset possible.

autoregress is naturally an easy command to use, whereas streamstats with split by and all the flags, (current, global, reset*) make it powerful, but somewhat less intuitive.

 

Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-16-2021 02:30 PM

Thank you for an exhaustive response. I always found autoregress more straightforward and obvious but it seems I sill have to learn a bit more about streamstats. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...